Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WIN_SCM_RDM_INSTALL_4.0.4.0.EXE

Overview

General Information

Sample name:WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Analysis ID:1546329
MD5:c20f986ed82e351e90b8a8140ccbf8e9
SHA1:9b62da430088fb0a73deaa8fb99ca7df89ffc0b2
SHA256:d8475f7c55ff4a9e40c2593b477d2bed7d7c3e8f79ef3eed64a61794b328f130
Infos:

Detection

Score:40
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:51
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Installs new ROOT certificates
Overwrites Mozilla Firefox settings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Remote Thread Creation By Uncommon Source Image
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • WIN_SCM_RDM_INSTALL_4.0.4.0.EXE (PID: 4432 cmdline: "C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE" MD5: C20F986ED82E351E90B8A8140CCBF8E9)
    • WIN_SCM_RDM_INSTALL_4.0.4.0.tmp (PID: 5428 cmdline: "C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp" /SL5="$2043E,40682831,788480,C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE" MD5: C2B12368174C2843B050C1000CD7A7F3)
      • WIN_DA_Install_4.0.4.0.exe (PID: 5900 cmdline: "C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART MD5: FAC28B29942B43B885400CCBCBC47C06)
        • WIN_DA_INSTALL_4.0.4.0.tmp (PID: 600 cmdline: "C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$40272,20499878,788480,C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART MD5: 895924B96B8B7BC52781E921E0AB93B8)
          • net.exe (PID: 6708 cmdline: "C:\Windows\system32\net.exe" stop RDMAppweb MD5: 31890A7DE89936F922D44D677F681A7F)
            • conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • net1.exe (PID: 3140 cmdline: C:\Windows\system32\net1 stop RDMAppweb MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
          • cmd.exe (PID: 6704 cmdline: "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 3548 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • cmd.exe (PID: 1740 cmdline: "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • Conhost.exe (PID: 600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 4476 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • rdmappweb-4.6.0-ms-windows-x86.exe (PID: 1360 cmdline: "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT MD5: 8DFECDDDB51D01D40B8FC278AE3C555C)
            • rdmappweb-4.6.0-ms-windows-x86.tmp (PID: 796 cmdline: "C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp" /SL5="$104F4,6322833,66048,C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT MD5: 62B4483DC79B5846006C0C644B51FE6C)
              • RDMAppman.exe (PID: 3732 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" uninstall MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
              • RDMAppman.exe (PID: 3548 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" install enable MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
              • RDMAppman.exe (PID: 4916 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" start MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
          • net.exe (PID: 1868 cmdline: "C:\Windows\system32\net.exe" stop RDMAppweb MD5: 31890A7DE89936F922D44D677F681A7F)
            • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • net1.exe (PID: 928 cmdline: C:\Windows\system32\net1 stop RDMAppweb MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
          • cmd.exe (PID: 2208 cmdline: "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 1856 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • vcredist_x86.exe (PID: 2648 cmdline: "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe" /q MD5: B88228D5FEF4B6DC019D69D4471F23EC)
            • Setup.exe (PID: 3732 cmdline: c:\8ae2907c08a3ced0022a08\Setup.exe /q MD5: 006F8A615020A4A17F5E63801485DF46)
          • RDM_ROOT_CERTIFICATE.exe (PID: 6784 cmdline: "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART MD5: DBC54A8343ACC3271098DD7F2E5B7345)
            • RDM_ROOT_CERTIFICATE.tmp (PID: 2364 cmdline: "C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$40508,6221732,66048,C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART MD5: 3E828ACD7AFDC653C0E0CA4F00A876C6)
              • certmgr.exe (PID: 1852 cmdline: "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/CertMgr.exe" -add -all -c rdmroot.pem -s -r localmachine Root MD5: 5D077A0CDD077C014EEDB768FEB249BA)
                • conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • Conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cmd.exe (PID: 1228 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • cmd.exe (PID: 5432 cmdline: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • certutil.exe (PID: 5052 cmdline: "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\." -i "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" MD5: 0C6B43C9602F4D5AC9DCF907103447C4)
          • regsvr32.exe (PID: 4088 cmdline: "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
          • net.exe (PID: 4048 cmdline: "C:\Windows\system32\net.exe" stop RDMAppweb MD5: 31890A7DE89936F922D44D677F681A7F)
            • conhost.exe (PID: 4624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • net1.exe (PID: 6348 cmdline: C:\Windows\system32\net1 stop RDMAppweb MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
          • cmd.exe (PID: 6732 cmdline: "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 6944 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • RDMAppman.exe (PID: 1344 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe" start MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
          • cmd.exe (PID: 6704 cmdline: "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 1908 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
            • Conhost.exe (PID: 772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 5688 cmdline: "cmd.exe" /C taskkill /F /IM "RDMAppman.exe" /T MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • taskkill.exe (PID: 5460 cmdline: taskkill /F /IM "RDMAppman.exe" /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
          • net.exe (PID: 5432 cmdline: "C:\Windows\system32\net.exe" start RdmAppweb MD5: 31890A7DE89936F922D44D677F681A7F)
            • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • net1.exe (PID: 1144 cmdline: C:\Windows\system32\net1 start RdmAppweb MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • WIN_SCM_Support_4.0.3.1.exe (PID: 5404 cmdline: "C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTART MD5: A1234F8D3A7122BE13679CFA0D9EB3E6)
        • WIN_SCM_SUPPORT_4.0.3.1.tmp (PID: 7064 cmdline: "C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp" /SL5="$30500,7236847,788480,C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTART MD5: 9ECEDBF75204AF13FD44FEE9708AD1A1)
  • RDMAppman.exe (PID: 2056 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe" MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
    • RDMAppweb.exe (PID: 5316 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe" MD5: BA232235CDE212CF4900B84C7BF1CC0E)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • msiexec.exe (PID: 6708 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • RDMAppman.exe (PID: 3520 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe" MD5: 13037BCDD7B6062CFC5D5939456AA7F0)
    • RDMAppweb.exe (PID: 2516 cmdline: "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe" MD5: BA232235CDE212CF4900B84C7BF1CC0E)
      • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"", CommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$40508,6221732,66048,C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART, ParentImage: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp, ParentProcessId: 2364, ParentProcessName: RDM_ROOT_CERTIFICATE.tmp, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"", ProcessId: 1228, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"", CommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$40508,6221732,66048,C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART, ParentImage: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp, ParentProcessId: 2364, ParentProcessName: RDM_ROOT_CERTIFICATE.tmp, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"", ProcessId: 1228, ProcessName: cmd.exe
Sigma detected: System File Execution Location Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\." -i "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem", CommandLine: "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\." -i "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1228, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\." -i "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem", ProcessId: 5052, ProcessName: certutil.exe
Sigma detected: Remote Thread Creation By Uncommon Source Image
Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\msiexec.exe, SourceProcessId: 6708, StartAddress: 215CDF50, TargetImage: C:\Windows\SysWOW64\net.exe, TargetProcessId: 6708
Sigma detected: Local Accounts Discovery
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*", CommandLine: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1228, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*", ProcessId: 5432, ProcessName: cmd.exe
Sigma detected: Net.exe Execution
Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "C:\Windows\system32\net.exe" stop RDMAppweb, CommandLine: "C:\Windows\system32\net.exe" stop RDMAppweb, CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$40272,20499878,788480,C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART, ParentImage: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp, ParentProcessId: 600, ParentProcessName: WIN_DA_INSTALL_4.0.4.0.tmp, ProcessCommandLine: "C:\Windows\system32\net.exe" stop RDMAppweb, ProcessId: 6708, ProcessName: net.exe
Sigma detected: Start Windows Service Via Net.EXE
Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\system32\net.exe" start RdmAppweb, CommandLine: "C:\Windows\system32\net.exe" start RdmAppweb, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$40272,20499878,788480,C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART, ParentImage: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp, ParentProcessId: 600, ParentProcessName: WIN_DA_INSTALL_4.0.4.0.tmp, ProcessCommandLine: "C:\Windows\system32\net.exe" start RdmAppweb, ProcessId: 5432, ProcessName: net.exe
Sigma detected: Stop Windows Service Via Net.EXE
Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\net.exe" stop RDMAppweb, CommandLine: "C:\Windows\system32\net.exe" stop RDMAppweb, CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$40272,20499878,788480,C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART, ParentImage: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp, ParentProcessId: 600, ParentProcessName: WIN_DA_INSTALL_4.0.4.0.tmp, ProcessCommandLine: "C:\Windows\system32\net.exe" stop RDMAppweb, ProcessId: 6708, ProcessName: net.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-31T19:22:58.229024+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449733TCP
2024-10-31T19:23:38.277211+010020229301A Network Trojan was detected4.245.163.56443192.168.2.449755TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEAvira: detected
Multi AV Scanner detection for submitted file
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEReversingLabs: Detection: 29%
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F82C7A0 mprMakeSalt,CryptAcquireContextA,mprGetError,CryptGenRandom,mprGetError,CryptReleaseContext,15_2_6F82C7A0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F82C630 mprCryptPassword,sfmt,mprEncode64Block,15_2_6F82C630
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F82BDF0 mprGetRandomString,CryptAcquireContextA,mprGetError,CryptGenRandom,mprGetError,CryptReleaseContext,mprError,gettimeofday,_getpid,15_2_6F82BDF0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F82C880 mprMakePassword,mprMakeSalt,mprCryptPassword,sfmt,15_2_6F82C880
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8198C0 mprGetRandomBytes,CryptAcquireContextA,mprGetError,CryptGenRandom,mprGetError,CryptReleaseContext,15_2_6F8198C0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F82C8F0 mprCheckPassword,sclone,stok,stok,stok,stok,atoi,mprCryptPassword,slen,slen,15_2_6F82C8F0

Compliance

barindex
Uses 32bit PE files
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Creates a directory in C:\Program Files
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-RKUSS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-AJNE0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\is-EF230.tmp
Creates install or setup log file
Source: C:\8ae2907c08a3ced0022a08\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20241031_142304785-MSI_vc_red.msi.txt
Creates license or readme file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1033\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1041\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1042\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1028\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\2052\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1040\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1036\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1031\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\3082\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1049\eula.rtf
PE / OLE file has a valid certificate
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: certificate valid
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeFile opened: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\MSVCR100.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: msvcr100.i386.pdb source: RDMAppman.exe, RDMAppman.exe, 0000000F.00000002.1874450032.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000010.00000002.1876797863.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000012.00000002.1880373718.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000013.00000002.1900665337.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppweb.exe, 00000014.00000002.1898727804.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000030.00000002.2129646793.000000006C0B1000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000031.00000002.2163573607.000000006C0B1000.00000020.00000001.01000000.0000000F.sdmp, RDMAppweb.exe, 00000032.00000002.2166106318.000000006C0B1000.00000020.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\Home\user\zlib-1.2.5\zlib1.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile"${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sfxcab.pdb source: vcredist_x86.exe, 0000001E.00000000.1927089596.0000000001002000.00000020.00000001.01000000.00000017.sdmp, vcredist_x86.exe, 0000001E.00000002.2045263272.0000000001002000.00000020.00000001.01000000.00000017.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\RDMDA\Services\Win\RDMDAService\Release\RDMUtil.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000055FC000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile"${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sqmapi.pdb source: Setup.exe, 0000001F.00000002.2043968580.000000006F851000.00000020.00000001.01000000.0000001A.sdmp, sqmapi.dll.30.dr
Source: Binary string: SetupEngine.pdb source: Setup.exe, 0000001F.00000002.2043754302.000000006C201000.00000020.00000001.01000000.00000019.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\ActiveXWrappers\RDMSCMWrap\Release\RDMSCMWrap.pdb source: WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: #EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MDd -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\openssl-1.0.1h\out32dll\libeay32.pdbLm source: is-BS9SC.tmp.14.dr
Source: Binary string: "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}"@ source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\RDMDA\Services\Win\RDMDAService\Release\RDMUtil.pdb0p@ source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000055FC000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\ActiveXWrappers\RDMDAWrap\Release\RDMDAWrap.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\ActiveXWrappers\RDMDAWrap\Release\RDMDAWrap.pdb$P source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile "${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\openssl-1.0.1h\out32dll\libeay32.pdb source: is-BS9SC.tmp.14.dr
Source: Binary string: EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}"ogr@ source: RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Setup.pdb source: Setup.exe, 0000001F.00000002.2042693879.0000000000B31000.00000020.00000001.01000000.00000018.sdmp, Setup.exe, 0000001F.00000000.1949442327.0000000000B31000.00000020.00000001.01000000.00000018.sdmp, Setup.exe.30.dr
Source: Binary string: #EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MDd -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Windows\System32\msiexec.exeFile opened: z:
Source: C:\Windows\System32\msiexec.exeFile opened: x:
Source: C:\Windows\System32\msiexec.exeFile opened: v:
Source: C:\Windows\System32\msiexec.exeFile opened: t:
Source: C:\Windows\System32\msiexec.exeFile opened: r:
Source: C:\Windows\System32\msiexec.exeFile opened: p:
Source: C:\Windows\System32\msiexec.exeFile opened: n:
Source: C:\Windows\System32\msiexec.exeFile opened: l:
Source: C:\Windows\System32\msiexec.exeFile opened: j:
Source: C:\Windows\System32\msiexec.exeFile opened: h:
Source: C:\Windows\System32\msiexec.exeFile opened: f:
Source: C:\Windows\System32\msiexec.exeFile opened: b:
Source: C:\Windows\System32\msiexec.exeFile opened: y:
Source: C:\Windows\System32\msiexec.exeFile opened: w:
Source: C:\Windows\System32\msiexec.exeFile opened: u:
Source: C:\Windows\System32\msiexec.exeFile opened: s:
Source: C:\Windows\System32\msiexec.exeFile opened: q:
Source: C:\Windows\System32\msiexec.exeFile opened: o:
Source: C:\Windows\System32\msiexec.exeFile opened: m:
Source: C:\Windows\System32\msiexec.exeFile opened: k:
Source: C:\Windows\System32\msiexec.exeFile opened: i:
Source: C:\Windows\System32\msiexec.exeFile opened: g:
Source: C:\Windows\System32\msiexec.exeFile opened: e:
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00476120 FindFirstFileA,FindNextFileA,FindClose,14_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004531A4 FindFirstFileA,GetLastError,14_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,14_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,14_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00463344 FindFirstFileA,FindNextFileA,FindClose,14_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,14_2_0049998C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F835FA0 mprCreateList,mprJoinPath,FindFirstFileA,memcpy,fmt,mprAddItem,FindNextFileA,FindClose,15_2_6F835FA0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8B0CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8B0CBB
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8ACC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,15_2_6F8ACC23
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8B088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8B088A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,15_2_6F8AC8FD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8781A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8781A1
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AE0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,15_2_6F8AE0BD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AFF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8AFF0E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8ADBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,15_2_6F8ADBC0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AF9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8AF9DD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AD687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,15_2_6F8AD687
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AF593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8AF593
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8B110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8B110C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AF169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8AF169
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 4x nop then push esi15_2_6F85F680
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 4x nop then or byte ptr [edi], dh15_2_6F867270
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49755
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.4:49733
Source: unknownDNS traffic detected: query: 209.183.8.0.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F828EF0 EnterCriticalSection,LeaveCriticalSection,mprYield,recvfrom,recv,mprResetYield,WSAGetLastError,LeaveCriticalSection,15_2_6F828EF0
Source: is-FHH1A.tmp.34.drString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: global trafficDNS traffic detected: DNS query: 209.183.8.0.in-addr.arpa
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bugs.jquery.com/ticket/12282#comment:15
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bugs.jquery.com/ticket/12359
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://bugs.jquery.com/ticket/13378
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.geotrust.com/crls/globalca1.crl0
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805793410.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805575122.000000000267D000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805793410.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805575122.000000000267D000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Setup.exe, 0000001F.00000003.1995143975.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsof
Source: Setup.exe, 0000001F.00000003.1987627153.0000000000A60000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001F.00000003.1987470345.0000000000A38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.co
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dev.w3.org/csswg/cssom/#resolved-values
Source: rdmappweb-4.6.0-ms-windows-x86.exe, 0000000D.00000003.1851937436.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000D.00000003.1888743116.00000000020B1000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000D.00000003.1851865219.0000000002340000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000003.1853712057.0000000002328000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000003.1883018084.00000000007C1000.00000004.00000020.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000003.1883335716.00000000007D4000.00000004.00000020.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000003.1853640431.0000000003110000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000002.1886882090.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000003.1884362222.0000000002328000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://embedthis.com/downloads/licensing.html
Source: rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000002.1884824094.000000000018E000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://embedthis.com/products/appweb/doc/guide/appweb/users/authentication.html.
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript
Source: Setup.exe, 0000001F.00000003.1965172246.0000000002710000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001F.00000003.1960239484.0000000000970000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://javascript.nwbox.com/IEContentLoaded/
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jquery.com/
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jquery.org/license
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, is-FUR3P.tmp.3.drString found in binary or memory: http://jqueryui.com
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, is-FUR3P.tmp.3.drString found in binary or memory: http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jsperf.com/getall-vs-sizzle/2
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://ocsp.comodoca.com0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://ocsp.comodoca.com0%
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://ocsp.comodoca.com0-
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://ocsp.comodoca.com0/
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://ocsp.comodoca.com05
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://ocsp.entrust.net03
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://ocsp.entrust.net0D
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805793410.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805575122.000000000267D000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805793410.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805575122.000000000267D000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://ocsp.pki.gva.es0
Source: WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://policy.camerfirma.com0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://purl.oclc.org/dsdl/schematron
Source: WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmp, is-ENH3B.tmp.3.drString found in binary or memory: http://relaxng.org/ns/structure/1.0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://relaxng.org/ns/structure/1.0allocating
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://repository.swisssign.com/0
Source: eula.rtf2.30.drString found in binary or memory: http://schemas.microsoft
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805793410.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805575122.000000000267D000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805793410.000000007FE49000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.1805575122.000000000267D000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192601386.000000007FE48000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2192350909.000000000269C000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://sizzlejs.com/
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ascc.net/xml/schematron
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ascc.net/xml/schematronhttp://purl.oclc.org/dsdl/schematronallocating
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.certifikat.dk/repository0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.chambersign.org1
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.disig.sk/ca0f
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.firmaprofesional.com/cps0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.firmaprofesional.com0
Source: rdmappweb-4.6.0-ms-windows-x86.tmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000000.1852957625.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000022.00000002.2087081373.0000000000401000.00000020.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.innosetup.com/
Source: rdmappweb-4.6.0-ms-windows-x86.exe, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000D.00000000.1851464606.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000000.2058657491.0000000000401000.00000020.00000001.01000000.0000001E.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: rdmappweb-4.6.0-ms-windows-x86.exe, 0000000D.00000000.1851464606.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000000.2058657491.0000000000401000.00000020.00000001.01000000.0000001E.sdmpString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: certutil.exe, 00000028.00000002.2084904455.000000006F713000.00000002.00000001.01000000.00000025.sdmp, certutil.exe, 00000028.00000002.2084774807.000000006F703000.00000002.00000001.01000000.00000026.sdmp, certutil.exe, 00000028.00000002.2084517168.000000006C707000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: http://www.mozilla.org/MPL/
Source: certutil.exe, 00000028.00000002.2084904455.000000006F713000.00000002.00000001.01000000.00000025.sdmp, certutil.exe, 00000028.00000002.2084774807.000000006F703000.00000002.00000001.01000000.00000026.sdmp, certutil.exe, 00000028.00000002.2084517168.000000006C707000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: http://www.mozilla.org/MPL/Copyright
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtdConverting
Source: is-BS9SC.tmp.14.drString found in binary or memory: http://www.openssl.org/V
Source: is-BS9SC.tmp.14.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: is-BS9SC.tmp.14.drString found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.phreedom.org/md5)
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.phreedom.org/md5)0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.phreedom.org/md5)MD5
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.pki.gva.es/cps0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.pki.gva.es/cps0%
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.quovadis.bm0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2194477307.0000000003480000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2301400036.00000000025E3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com
Source: RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2088264797.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059131336.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2062075406.0000000002218000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2086733217.0000000002218000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com&
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com//industries-served/check-cashing
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/about-us
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/board-of-directors
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/careers
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/executive-team
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/industry-links
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/company/investors
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/contact
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/digital-imaging-solutions
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/digital-imaging-solutions/all-in-one-payment-terminal
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/digital-imaging-solutions/check-scanners
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/digital-imaging-solutions/micr-image-quality-control
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/industries-served/brokerage-firms
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/industries-served/financial-institutions
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/industries-served/property-management
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/markets-served
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/news-and-events
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/partners/find-a-partner
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions/data-management
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions/image-cash-letter
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions/professional-services
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions/remittance-processing
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/payment-processing-solutions/remote-deposit-capture
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/privacy-statement
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/support
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.com/terms-of-use
Source: WIN_DA_Install_4.0.4.0.exe, 00000002.00000003.2175252176.0000000002323000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.comQ62
Source: WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2306212319.0000000002343000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.rdmcorp.comQ64
Source: rdmappweb-4.6.0-ms-windows-x86.exe, 0000000D.00000003.1852544687.00000000020BC000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000D.00000003.1852384190.0000000002340000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000000.1852957625.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000022.00000002.2087081373.0000000000401000.00000020.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.remobjects.com/ps
Source: rdmappweb-4.6.0-ms-windows-x86.exe, 0000000D.00000003.1852544687.00000000020BC000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000D.00000003.1852384190.0000000002340000.00000004.00001000.00020000.00000000.sdmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000000.1852957625.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000022.00000002.2087081373.0000000000401000.00000020.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.remobjects.com/psU
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.sk.ee/cps/0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.sk.ee/juur/crl/0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.valicert.com/1
Source: is-FHH1A.tmp.34.drString found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000002.2172919720.000000000018E000.00000004.00000010.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2300820202.0000000003764000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.zlib.net/D
Source: rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000002.1884824094.000000000018E000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https:///admin/login.esp
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=491668
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=649285
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en/Security/CSP)
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jquery/jquery/pull/557)
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jquery/jquery/pull/764
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/jquery/sizzle/pull/225
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://localhost:736/SCM/4.0/da.esp
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://localhost:736/SCM/4.0/da.espDA_UserIdInstallFile
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://localhost:736/SCM/4.0/scm.esp
Source: WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://localhost:736/SCM/4.0/scm.espSCM_UserId
Source: is-FHH1A.tmp.34.drString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: is-FHH1A.tmp.34.drString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: is-FHH1A.tmp.34.drString found in binary or memory: https://secure.comodo.com/CPS0
Source: is-FHH1A.tmp.34.drString found in binary or memory: https://www.catcert.net/verarrel
Source: is-FHH1A.tmp.34.drString found in binary or memory: https://www.catcert.net/verarrel05
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.tmp, 00000001.00000000.1722272904.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: https://www.innosetup.com/
Source: is-FHH1A.tmp.34.drString found in binary or memory: https://www.netlock.hu/docs/
Source: is-FHH1A.tmp.34.drString found in binary or memory: https://www.netlock.net/docs
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.tmp, 00000001.00000000.1722272904.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drString found in binary or memory: https://www.remobjects.com/ps
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0042F9C0 NtdllDefWindowProc_A,14_2_0042F9C0
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00423FD4 NtdllDefWindowProc_A,14_2_00423FD4
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00412A28 NtdllDefWindowProc_A,14_2_00412A28
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00479D08 NtdllDefWindowProc_A,14_2_00479D08
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00457D90 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,14_2_00457D90
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0042ED84: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,14_2_0042ED84
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_00701BC5 OpenSCManagerA,mprError,OpenServiceA,CloseServiceHandle,mprError,ControlService,GetLastError,mprSleep,QueryServiceStatus,QueryServiceStatus,mprSleep,QueryServiceStatus,GetLastError,mprError,DeleteService,GetLastError,GetLastError,mprError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,15_2_00701BC5
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,13_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,14_2_00455D80
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-8US6A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-B1058.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-43SV4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-7J1SR.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\4b2a01.msi
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{196BB40D-1578-3D01-B289-BEFC77A11A1E}
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2C81.tmp
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\atl100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100chs.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100cht.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100deu.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100enu.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100esn.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100fra.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100ita.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100jpn.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100kor.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100rus.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfc100u.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfcm100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\mfcm100u.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\SysWOW64\vcomp100.dll
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\4b2a04.msi
Source: C:\Windows\System32\msiexec.exeFile created: c:\Windows\Installer\4b2a04.msi
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpFile created: C:\Windows\SysWOW64\is-7IV3V.tmp
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\4b2a04.msi
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_0040888813_2_00408888
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0046803414_2_00468034
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0047168814_2_00471688
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0048F6BC14_2_0048F6BC
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0048803014_2_00488030
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0046A08814_2_0046A088
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0045210014_2_00452100
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0043E1F014_2_0043E1F0
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004307FC14_2_004307FC
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0044496814_2_00444968
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00434A6414_2_00434A64
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00444F1014_2_00444F10
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00488F9014_2_00488F90
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0043138814_2_00431388
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0044560814_2_00445608
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0043576814_2_00435768
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0045F8C014_2_0045F8C0
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0045B97014_2_0045B970
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00445A1414_2_00445A14
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_0070235015_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_0070100015_2_00701000
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_007015F015_2_007015F0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F81877015_2_6F818770
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F81DE8015_2_6F81DE80
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F814EB015_2_6F814EB0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F81363015_2_6F813630
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F81D63015_2_6F81D630
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F81A67015_2_6F81A670
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F817E7015_2_6F817E70
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F818D0015_2_6F818D00
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8194E015_2_6F8194E0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F813C5015_2_6F813C50
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8153D015_2_6F8153D0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F813AB015_2_6F813AB0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F812AF015_2_6F812AF0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F818A3015_2_6F818A30
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F81518015_2_6F815180
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F81699015_2_6F816990
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8199B015_2_6F8199B0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8161E015_2_6F8161E0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F81708015_2_6F817080
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8280A015_2_6F8280A0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8148E015_2_6F8148E0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8260F015_2_6F8260F0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F81806015_2_6F818060
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F81307015_2_6F813070
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F81407015_2_6F814070
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F868F8315_2_6F868F83
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F89ECCD15_2_6F89ECCD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F866B2815_2_6F866B28
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F88091915_2_6F880919
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8E083D15_2_6F8E083D
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8F672F15_2_6F8F672F
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8CE76515_2_6F8CE765
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F86867F15_2_6F86867F
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F87457E15_2_6F87457E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8C245B15_2_6F8C245B
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8643A615_2_6F8643A6
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8663C915_2_6F8663C9
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AA3DD15_2_6F8AA3DD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F86A2A715_2_6F86A2A7
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8C42FB15_2_6F8C42FB
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8521F015_2_6F8521F0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8E814015_2_6F8E8140
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AE0BD15_2_6F8AE0BD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F86601815_2_6F866018
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F863DD015_2_6F863DD0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F869D6515_2_6F869D65
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8E1C1715_2_6F8E1C17
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F865C2C15_2_6F865C2C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F865C3015_2_6F865C30
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8ADBC015_2_6F8ADBC0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8F1A0015_2_6F8F1A00
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F863A1C15_2_6F863A1C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8F7A5A15_2_6F8F7A5A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8C994515_2_6F8C9945
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8E388815_2_6F8E3888
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8CF82E15_2_6F8CF82E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8CB79B15_2_6F8CB79B
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8697A015_2_6F8697A0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AD68715_2_6F8AD687
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8F965915_2_6F8F9659
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8ED67415_2_6F8ED674
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8CD45A15_2_6F8CD45A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8C333215_2_6F8C3332
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8C52E515_2_6F8C52E5
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8F923E15_2_6F8F923E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F86727015_2_6F867270
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8671A315_2_6F8671A3
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F87911E15_2_6F87911E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F86709315_2_6F867093
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6F826F20 appears 46 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6F860C80 appears 152 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6F86A51F appears 42 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6F827010 appears 46 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6F86B046 appears 63 times
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: String function: 6F860C67 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00446274 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00453AAC appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 0043497C appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00458718 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 0040905C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00407D44 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00446544 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 0045850C appears 100 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 0040357C appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00406F14 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: String function: 00403684 appears 229 times
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: WIN_DA_INSTALL_4.0.4.0.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-R0CGS.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: rdmappweb-4.6.0-ms-windows-x86.tmp.13.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: rdmappweb-4.6.0-ms-windows-x86.tmp.13.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: rdmappweb-4.6.0-ms-windows-x86.tmp.13.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-SAE1N.tmp.14.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-SAE1N.tmp.14.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-SAE1N.tmp.14.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: SetupResources.dll4.30.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: SetupResources.dll1.30.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll.30.drStatic PE information: No import functions for PE file found
Source: mfc100enu.dll.32.drStatic PE information: No import functions for PE file found
Source: mfc100deu.dll.32.drStatic PE information: No import functions for PE file found
Source: mfc100rus.dll.32.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll8.30.drStatic PE information: No import functions for PE file found
Source: mfc100fra.dll.32.drStatic PE information: No import functions for PE file found
Source: mfc100esn.dll.32.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll2.30.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll5.30.drStatic PE information: No import functions for PE file found
Source: mfc100jpn.dll.32.drStatic PE information: No import functions for PE file found
Source: mfc100kor.dll.32.drStatic PE information: No import functions for PE file found
Source: mfc100chs.dll.32.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll6.30.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll3.30.drStatic PE information: No import functions for PE file found
Source: mfc100cht.dll.32.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll0.30.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll7.30.drStatic PE information: No import functions for PE file found
Source: mfc100ita.dll.32.drStatic PE information: No import functions for PE file found
Source: SetupResources.dll4.30.drStatic PE information: No import functions for PE file found
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000000.1718815890.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.2602453869.0000000002218000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000025DC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FE38000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEBinary or memory string: OriginalFileName vs WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: mfc100enu.dll.32.drStatic PE information: Section .rsrc
Source: mfc100deu.dll.32.drStatic PE information: Section .rsrc
Source: mfc100rus.dll.32.drStatic PE information: Section .rsrc
Source: mfc100fra.dll.32.drStatic PE information: Section .rsrc
Source: mfc100esn.dll.32.drStatic PE information: Section .rsrc
Source: mfc100jpn.dll.32.drStatic PE information: Section .rsrc
Source: mfc100kor.dll.32.drStatic PE information: Section .rsrc
Source: mfc100chs.dll.32.drStatic PE information: Section .rsrc
Source: mfc100cht.dll.32.drStatic PE information: Section .rsrc
Source: mfc100ita.dll.32.drStatic PE information: Section .rsrc
Source: classification engineClassification label: mal40.phis.spyw.evad.winEXE@113/493@1/0
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_004098E8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,13_2_004098E8
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00455D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,14_2_00455D80
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004565A8 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,14_2_004565A8
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: OpenSCManagerA,mprError,OpenServiceA,GetModuleFileNameA,CreateServiceA,GetLastError,GetLastError,GetLastError,mprError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,fmt,mprWriteRegistry,mprError,fmt,mprWriteRegistry,mprError,mprGetAppDir,mprGetPathParent,mprWriteRegistry,mprError,mprWriteRegistry,mprError,15_2_007015F0
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0046EE04 GetVersion,CoCreateInstance,14_2_0046EE04
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_0040A0D4 FindResourceA,SizeofResource,LoadResource,LockResource,13_2_0040A0D4
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_00701955 OpenSCManagerA,mprError,OpenServiceA,mprError,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,mprError,15_2_00701955
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_00701510 OpenSCManagerA,mprError,GetServiceDisplayNameA,CloseServiceHandle,StartServiceCtrlDispatcherA,GetLastError,mprError,15_2_00701510
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM CorporationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3396:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6772:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5968:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5264:120:WilError_03
Source: C:\8ae2907c08a3ced0022a08\Setup.exeMutant created: \Sessions\1\BaseNamedObjects\Global\VC_Redist_SetupMutex
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEFile created: C:\Users\user\AppData\Local\Temp\is-646K4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert""
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --args15_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --console15_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --continue15_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --daemon15_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --heartBeat15_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --home15_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --log15_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --name15_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --program15_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: --verbose15_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: 8Ip15_2_00702350
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCommand line argument: run15_2_00702350
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM %s WHERE %s;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_master SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT ALL * FROM %s;
Source: RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2085566824.0000000005592000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEReversingLabs: Detection: 29%
Source: rdmappweb-4.6.0-ms-windows-x86.exeString found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: RDMAppman.exeString found in binary or memory: --help
Source: RDMAppman.exeString found in binary or memory: --help
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEFile read: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE "C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE"
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEProcess created: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp "C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp" /SL5="$2043E,40682831,788480,C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE"
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exe "C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp "C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$40272,20499878,788480,C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppweb
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeProcess created: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp "C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp" /SL5="$104F4,6322833,66048,C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" uninstall
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" install enable
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" start
Source: unknownProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe"
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppweb
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe" /q
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeProcess created: C:\8ae2907c08a3ced0022a08\Setup.exe c:\8ae2907c08a3ced0022a08\Setup.exe /q
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp "C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$40508,6221732,66048,C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exe "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/CertMgr.exe" -add -all -c rdmroot.pem -s -r localmachine Root
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\." -i "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem"
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll"
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppweb
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe" start
Source: unknownProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe"
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /IM "RDMAppman.exe" /T
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "RDMAppman.exe" /T
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" start RdmAppweb
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start RdmAppweb
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exe "C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp "C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp" /SL5="$30500,7236847,788480,C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTART
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEProcess created: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp "C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp" /SL5="$2043E,40682831,788480,C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exe "C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTARTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exe "C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTARTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exeProcess created: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp "C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$40272,20499878,788480,C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTARTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppwebJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppwebJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe" /qJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTARTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppwebJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe" startJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C taskkill /F /IM "RDMAppman.exe" /TJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*"Jump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppwebJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeProcess created: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp "C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp" /SL5="$104F4,6322833,66048,C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENTJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" uninstallJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" install enableJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" startJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeProcess created: C:\8ae2907c08a3ced0022a08\Setup.exe c:\8ae2907c08a3ced0022a08\Setup.exe /q
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exeProcess created: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp "C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$40508,6221732,66048,C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exe "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/CertMgr.exe" -add -all -c rdmroot.pem -s -r localmachine Root
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\." -i "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem"
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "RDMAppman.exe" /T
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start RdmAppweb
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp "C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp" /SL5="$30500,7236847,788480,C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTART
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess created: unknown unknown
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXESection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXESection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXESection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXESection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXESection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: slc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: msvcr100.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libappweb.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libhttp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libslink.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libhttp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libpcre.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: napinsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: wshbth.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: nlaapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: winrnr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: clusapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeSection loaded: iertutil.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: apphelp.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: acgenral.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: uxtheme.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: winmm.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: samcli.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msacm32.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: version.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: userenv.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: dwmapi.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: urlmon.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: mpr.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: sspicli.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: winmmbase.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: winmmbase.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: iertutil.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: srvcli.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: netutils.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: setupengine.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msi.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: winhttp.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: secur32.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: sqmapi.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msasn1.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: windows.storage.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: wldp.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: profapi.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: ntmarta.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: kernel.appcore.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msxml3.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: cryptsp.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: rsaenh.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: cryptbase.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: gpapi.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: msisip.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: srpapi.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: tsappcmp.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: netapi32.dll
Source: C:\8ae2907c08a3ced0022a08\Setup.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exeSection loaded: cryptui.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: nssutil3.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: smime3.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libplc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libplds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libplc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libplds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: nss3.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libplc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libplds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libplc4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libplds4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: libnspr4.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: sqlite3.dll
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: atl100.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvcr100.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvcp100.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvcr100.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: uxtheme.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: msvcr100.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: napinsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: wshbth.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: nlaapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeSection loaded: winrnr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: msvcr100.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libappweb.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libhttp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libslink.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libhttp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libmpr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: libpcre.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: napinsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: wshbth.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: nlaapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: iphlpapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: mswsock.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: dnsapi.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: winrnr.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpAutomated click: Next
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-RKUSS.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-AJNE0.tmp
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDirectory created: C:\Program Files\Mozilla Firefox\is-EF230.tmp
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: certificate valid
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic file information: File size 41523552 > 1048576
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeFile opened: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\MSVCR100.dllJump to behavior
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: msvcr100.i386.pdb source: RDMAppman.exe, RDMAppman.exe, 0000000F.00000002.1874450032.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000010.00000002.1876797863.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000012.00000002.1880373718.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000013.00000002.1900665337.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppweb.exe, 00000014.00000002.1898727804.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000030.00000002.2129646793.000000006C0B1000.00000020.00000001.01000000.0000000F.sdmp, RDMAppman.exe, 00000031.00000002.2163573607.000000006C0B1000.00000020.00000001.01000000.0000000F.sdmp, RDMAppweb.exe, 00000032.00000002.2166106318.000000006C0B1000.00000020.00000001.01000000.0000000F.sdmp
Source: Binary string: C:\Home\user\zlib-1.2.5\zlib1.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile"${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sfxcab.pdb source: vcredist_x86.exe, 0000001E.00000000.1927089596.0000000001002000.00000020.00000001.01000000.00000017.sdmp, vcredist_x86.exe, 0000001E.00000002.2045263272.0000000001002000.00000020.00000001.01000000.00000017.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\RDMDA\Services\Win\RDMDAService\Release\RDMUtil.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000055FC000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile"${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sqmapi.pdb source: Setup.exe, 0000001F.00000002.2043968580.000000006F851000.00000020.00000001.01000000.0000001A.sdmp, sqmapi.dll.30.dr
Source: Binary string: SetupEngine.pdb source: Setup.exe, 0000001F.00000002.2043754302.000000006C201000.00000020.00000001.01000000.00000019.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\ActiveXWrappers\RDMSCMWrap\Release\RDMSCMWrap.pdb source: WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005450000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: #EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MDd -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\openssl-1.0.1h\out32dll\libeay32.pdbLm source: is-BS9SC.tmp.14.dr
Source: Binary string: "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}"@ source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\RDMDA\Services\Win\RDMDAService\Release\RDMUtil.pdb0p@ source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000055FC000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\ActiveXWrappers\RDMDAWrap\Release\RDMDAWrap.pdb source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\Source\VSS_SCM\SCM40\Source\ActiveXWrappers\RDMDAWrap\Release\RDMDAWrap.pdb$P source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005467000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: EspCompile "${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: c:\openssl-1.0.1h\out32dll\libeay32.pdb source: is-BS9SC.tmp.14.dr
Source: Binary string: EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}"ogr@ source: RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Setup.pdb source: Setup.exe, 0000001F.00000002.2042693879.0000000000B31000.00000020.00000001.01000000.00000018.sdmp, Setup.exe, 0000001F.00000000.1949442327.0000000000B31000.00000020.00000001.01000000.00000018.sdmp, Setup.exe.30.dr
Source: Binary string: #EspCompile "${CC}" -LD ${DEBUG} -D_REENTRANT -D_MT -nologo -GR- -W3 -MDd -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "${CC}" -LD -D_REENTRANT -D_MT -nologo -GR- -W3 -MD -I. -I${APPINC} -I"${INC}" -Fo"${MOD}.obj" -Fd"${MOD}.pdb" -Fe"${MOD}${SHOBJ}" "${SRC}" ${CFLAGS} ${LIBS} ${LDFLAGS} ws2_32.lib source: RDMAppweb.exe, 00000014.00000002.1897580803.0000000001B10000.00000004.00001000.00020000.00000000.sdmp, RDMAppweb.exe, 00000032.00000002.2163335415.0000000001D60000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00450994 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_00450994
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.EXEStatic PE information: section name: .didata
Source: WIN_SCM_RDM_INSTALL_4.0.4.0.tmp.0.drStatic PE information: section name: .didata
Source: is-E0EB0.tmp.1.drStatic PE information: section name: .didata
Source: is-83PD6.tmp.1.drStatic PE information: section name: .didata
Source: is-VP3PB.tmp.1.drStatic PE information: section name: .didata
Source: WIN_DA_INSTALL_4.0.4.0.tmp.2.drStatic PE information: section name: .didata
Source: is-R0CGS.tmp.3.drStatic PE information: section name: .didata
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll"
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_00406A18 push 00406A55h; ret 13_2_00406A4D
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_004040B5 push eax; ret 13_2_004040F1
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_00404185 push 00404391h; ret 13_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_00404206 push 00404391h; ret 13_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_004042E8 push 00404391h; ret 13_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_00404283 push 00404391h; ret 13_2_00404389
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_004093B4 push 004093E7h; ret 13_2_004093DF
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_00408580 push ecx; mov dword ptr [esp], eax13_2_00408585
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_3_0235ED8C pushfd ; retf 14_3_0235ED8D
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_3_0235ED8C pushfd ; retf 14_3_0235ED8D
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_3_0235ED8C pushfd ; retf 14_3_0235ED8D
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00409D9C push 00409DD9h; ret 14_2_00409DD1
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0041A078 push ecx; mov dword ptr [esp], ecx14_2_0041A07D
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00452100 push ecx; mov dword ptr [esp], eax14_2_00452105
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0040A273 push ds; ret 14_2_0040A29D
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004062C4 push ecx; mov dword ptr [esp], eax14_2_004062C5
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0040A29F push ds; ret 14_2_0040A2A0
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00460518 push ecx; mov dword ptr [esp], ecx14_2_0046051C
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00496594 push ecx; mov dword ptr [esp], ecx14_2_00496599
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004587B4 push 004587ECh; ret 14_2_004587E4
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00410930 push ecx; mov dword ptr [esp], edx14_2_00410935
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00486A94 push ecx; mov dword ptr [esp], ecx14_2_00486A99
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00478D50 push ecx; mov dword ptr [esp], edx14_2_00478D51
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00412D78 push 00412DDBh; ret 14_2_00412DD3
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0040D288 push ecx; mov dword ptr [esp], edx14_2_0040D28A
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0040546D push eax; ret 14_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0040553D push 00405749h; ret 14_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004055BE push 00405749h; ret 14_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0040563B push 00405749h; ret 14_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004056A0 push 00405749h; ret 14_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0040F7E8 push ecx; mov dword ptr [esp], edx14_2_0040F7EA
Source: is-KLGM9.tmp.14.drStatic PE information: section name: .text entropy: 6.9169969425576285

Persistence and Installation Behavior

barindex
Installs new ROOT certificates
Source: C:\8ae2907c08a3ced0022a08\Setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\8ae2907c08a3ced0022a08\Setup.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5427A9B33E7D74F84EEE218A17BE40352B745EE0 Blob
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDa.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\libplds4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\1031\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\is-UG9QC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\removeFiles.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpFile created: C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_SCM_Support\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\ssl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\iconv.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-B76PT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmSCMWrap.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exeFile created: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-AR2RP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-P19FD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\SetupUi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\1041\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\nss3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-BS9SC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\is-66AM3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\is-84VHQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DHMM3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-NRDDP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-K96FQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\sqmapi.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\is-SAE1N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-4TLUB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\1028\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\unins000.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\Setup.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-P4SR6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libhttp.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-LT8OJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-LUR6P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\vcredist_x86.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libpcre.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpFile created: C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_SCM_Support\is-NU2T0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\libplc4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\nssckbi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\nssutil3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\ssleay32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\libnspr4.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-C0VMN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-291AF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\SetupEngine.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\2052\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\RDMUtil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-ODEF1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-0NOPJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exeFile created: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-7J1SR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KLGM9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-E2KL5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\freebl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_e1e6248d4d6cd4c6f1780d87dae23f0e.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-26IBC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-PBL1C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMSAPIDLL.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-CVN83.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-02PTS.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\atl100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\zlib1.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\is-VP3PB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-SBL4H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-8US6A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-UCURD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_cgi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_ssl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-FHH1A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeFile created: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exeFile created: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpFile created: C:\Windows\SysWOW64\is-7IV3V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\3082\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-PKI7I.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\is-83PD6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-5AMK2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmpr.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\is-5LMKM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmprssl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-HU82P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_d8f75e92d1eafb54afba47fcb3fb7417.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\1036\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-I730K.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\1033\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\msvcr100.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\smime3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-3OIE9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\CertMgr.Exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-43SV4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-ENH3B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\is-E0EB0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-C1AJE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\nssdbm3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_esp.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\libxml2.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\1049\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-IQELN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-B1058.tmpJump to dropped file
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEFile created: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libappweb.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\1040\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-PLTOC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libeay32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: C:\8ae2907c08a3ced0022a08\1042\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libslink.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\sqlite3.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\softokn3.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpFile created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-95ERF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpFile created: C:\Users\user\AppData\Local\Temp\is-DIRJS.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\is-R0CGS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-0O571.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpFile created: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_RDM_Support_4.0.3.1.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Users\user\AppData\Local\Temp\is-NBB3F.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpFile created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-C9PV1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-43SV4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\atl100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\zlib1.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\libxml2.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-8US6A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\iconv.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-B1058.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpFile created: C:\Windows\SysWOW64\is-7IV3V.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\RDMUtil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpFile created: C:\Windows\SysWOW64\is-7J1SR.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\8ae2907c08a3ced0022a08\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20241031_142304785-MSI_vc_red.msi.txt
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1033\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1041\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1042\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1028\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\2052\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1040\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1036\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1031\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\3082\eula.rtf
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeFile created: c:\8ae2907c08a3ced0022a08\1049\eula.rtf
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\rdmappmanJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RDMAppwebJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop RDMAppweb
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_00701955 OpenSCManagerA,mprError,OpenServiceA,mprError,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,GetLastError,mprError,15_2_00701955
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,14_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0042405C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,14_2_0042405C
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0041811E IsIconic,SetWindowPos,14_2_0041811E
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00418120 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,14_2_00418120
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004245E4 IsIconic,SetActiveWindow,14_2_004245E4
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0042462C IsIconic,SetActiveWindow,SetFocus,14_2_0042462C
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004187D4 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,14_2_004187D4
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00422CAC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,14_2_00422CAC
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00484D28 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,14_2_00484D28
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0042F71C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,14_2_0042F71C
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004179E8 IsIconic,GetCapture,14_2_004179E8
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0041F568 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,14_2_0041F568
Source: C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\8ae2907c08a3ced0022a08\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\8ae2907c08a3ced0022a08\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\8ae2907c08a3ced0022a08\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\8ae2907c08a3ced0022a08\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\8ae2907c08a3ced0022a08\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\8ae2907c08a3ced0022a08\Setup.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDa.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\8ae2907c08a3ced0022a08\1031\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100cht.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\removeFiles.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\ssl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\iconv.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmSCMWrap.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-B76PT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-AR2RP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-P19FD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\8ae2907c08a3ced0022a08\SetupUi.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\8ae2907c08a3ced0022a08\1041\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\vcomp100.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100deu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-BS9SC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\is-66AM3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-NRDDP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-K96FQ.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100esn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\is-SAE1N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-4TLUB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\8ae2907c08a3ced0022a08\1028\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-LT8OJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-LUR6P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\vcredist_x86.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\nssckbi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\ssleay32.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-C0VMN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-291AF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\8ae2907c08a3ced0022a08\2052\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-ODEF1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\RDMUtil.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-0NOPJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-7J1SR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KLGM9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\freebl3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-E2KL5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-26IBC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_e1e6248d4d6cd4c6f1780d87dae23f0e.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-PBL1C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMSAPIDLL.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-CVN83.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-02PTS.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\zlib1.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-SBL4H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\is-VP3PB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-8US6A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-UCURD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_cgi.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_ssl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-FHH1A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100ita.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-7IV3V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-PKI7I.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\8ae2907c08a3ced0022a08\3082\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-5AMK2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmprssl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-HU82P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\8ae2907c08a3ced0022a08\1036\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_d8f75e92d1eafb54afba47fcb3fb7417.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\8ae2907c08a3ced0022a08\1033\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-I730K.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100fra.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-3OIE9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\CertMgr.Exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-43SV4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-ENH3B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\nssdbm3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_esp.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\libxml2.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\8ae2907c08a3ced0022a08\1049\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-IQELN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-B1058.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\8ae2907c08a3ced0022a08\1040\SetupResources.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libeay32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exeDropped PE file which has not been started: C:\8ae2907c08a3ced0022a08\1042\SetupResources.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfcm100u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\softokn3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-95ERF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100kor.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-DIRJS.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-0O571.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_RDM_Support_4.0.3.1.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-NBB3F.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpDropped PE file which has not been started: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-C9PV1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\SysWOW64\mfc100jpn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_13-6076
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeAPI coverage: 2.6 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\8ae2907c08a3ced0022a08\Setup.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\8ae2907c08a3ced0022a08\Setup.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00476120 FindFirstFileA,FindNextFileA,FindClose,14_2_00476120
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004531A4 FindFirstFileA,GetLastError,14_2_004531A4
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_004648D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,14_2_004648D0
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00464D4C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,14_2_00464D4C
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00463344 FindFirstFileA,FindNextFileA,FindClose,14_2_00463344
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0049998C FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,14_2_0049998C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F835FA0 mprCreateList,mprJoinPath,FindFirstFileA,memcpy,fmt,mprAddItem,FindNextFileA,FindClose,15_2_6F835FA0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8B0CBB _wstat64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8B0CBB
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8ACC23 _malloc_crt,FindClose,FindFirstFileExW,FindNextFileW,FindClose,15_2_6F8ACC23
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8B088A _wstat32,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8B088A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AC8FD _malloc_crt,FindClose,FindFirstFileExA,FindNextFileA,FindClose,15_2_6F8AC8FD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8781A1 _wstat64i32,_wcspbrk,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,_errno,__doserrno,__doserrno,_errno,_invalid_parameter_noinfo,towlower,GetDriveTypeW,free,___loctotime64_t,free,_wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8781A1
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AE0BD _wfindfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,_wfindnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileW,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,wcscpy_s,__invoke_watson,15_2_6F8AE0BD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AFF0E _stat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8AFF0E
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8ADBC0 _findfirst64i32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64i32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst32i64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32i64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_seterrormode,SetErrorMode,15_2_6F8ADBC0
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AF9DD _stat64i32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64i32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8AF9DD
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AD687 _findfirst32,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext32,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findfirst64,_errno,_invalid_parameter_noinfo,FindFirstFileExA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,_findnext64,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,FindNextFileA,GetLastError,_errno,_errno,_errno,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,strcpy_s,__invoke_watson,15_2_6F8AD687
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AF593 _stat64,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime64_t,free,__wsopen_s,__fstat64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime64_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8AF593
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8B110C _wstat32i64,__doserrno,_errno,_invalid_parameter_noinfo,_wcspbrk,_errno,__doserrno,towlower,_getdrive,FindFirstFileExW,_wcspbrk,_wcslen,GetDriveTypeW,free,___loctotime32_t,free,_wsopen_s,__fstat32i64,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___wdtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8B110C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8AF169 _stat32,__doserrno,_errno,_invalid_parameter_noinfo,_mbspbrk,_errno,__doserrno,_mbctolower,_getdrive,FindFirstFileExA,_mbspbrk,__wfullpath_helper,_strlen,_IsRootUNCName,GetDriveTypeA,free,___loctotime32_t,free,__wsopen_s,__fstat32,_close,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FileTimeToLocalFileTime,FileTimeToSystemTime,___loctotime32_t,FindClose,___dtoxmode,GetLastError,__dosmaperr,FindClose,15_2_6F8AF169
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_0040A018 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,13_2_0040A018
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\
Source: WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2172684286.0000000000832000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}g
Source: certutil.exe, 00000028.00000002.2083465213.00000000012AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: RDMAppweb.exe, 00000014.00000002.1897192458.0000000000DDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr4
Source: RDMAppman.exe, 00000030.00000002.2128369427.0000000000C28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2303153331.0000000000976000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\(
Source: RDMAppman.exe, 00000012.00000002.1879695344.00000000011A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: RDMAppman.exe, 00000013.00000002.1900231413.0000000000FA3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RDMAppweb.exe, 00000032.00000002.2162750954.0000000001258000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2303153331.0000000000976000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Sx
Source: RDMAppman.exe, 0000000F.00000002.1874056987.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, RDMAppman.exe, 00000010.00000002.1876375817.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, RDMAppman.exe, 00000031.00000002.2162366672.0000000000B28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_00702F34 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,15_2_00702F34
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8D6BA4 VirtualProtect ?,-00000001,00000104,?15_2_6F8D6BA4
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00450994 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,14_2_00450994
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8D9B6F __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,__setmode_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__doserrno,_errno,__lseeki64_nolock,_get_osfhandle,SetEndOfFile,_errno,__doserrno,GetLastError,__lseeki64_nolock,15_2_6F8D9B6F
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_00702F34 IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,15_2_00702F34
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8391CE IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,15_2_6F8391CE
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8DAD2C _crt_debugger_hook,_memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,15_2_6F8DAD2C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8607A7 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,15_2_6F8607A7
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8DC097 __report_gsfailure,IsDebuggerPresent,_crt_debugger_hook,SetUnhandledExceptionFilter,UnhandledExceptionFilter,_crt_debugger_hook,GetCurrentProcess,TerminateProcess,15_2_6F8DC097
Source: C:\8ae2907c08a3ced0022a08\Setup.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0047974C ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,14_2_0047974C
Source: C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmpProcess created: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe" startJump to behavior
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppwebJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\." -i "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem"
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop RDMAppweb
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "RDMAppman.exe" /T
Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start RdmAppweb
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM "RDMAppman.exe" /T
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe "c:\users\user\appdata\local\temp\is-u1aot.tmp\rdmcert"\certutil.exe -a -n "rdm_device" -t "tcu,tcu,tcu" -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\z6bny8rn.default\." -i "c:\users\user\appdata\local\temp\is-u1aot.tmp\rdmcert\rdmroot.pem"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe "c:\users\user\appdata\local\temp\is-u1aot.tmp\rdmcert"\certutil.exe -a -n "rdm_device" -t "tcu,tcu,tcu" -d "c:\users\user\appdata\roaming\mozilla\firefox\profiles\z6bny8rn.default\." -i "c:\users\user\appdata\local\temp\is-u1aot.tmp\rdmcert\rdmroot.pem"
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0042F254 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,14_2_0042F254
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_0042E4EC AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,14_2_0042E4EC
Source: Setup.exe, 0000001F.00000003.1987627153.0000000000A60000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001F.00000002.2042513004.0000000000A22000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001F.00000003.1984635301.0000000000A6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: Setup.exe, 0000001F.00000003.1984839211.0000000000A2F000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 0000001F.00000003.1984715598.0000000000A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2580] [explorer.exe] [Program Manager] [Visible]ible]g
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: GetLocaleInfoA,13_2_0040565C
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: GetLocaleInfoA,13_2_004056A8
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: GetLocaleInfoA,14_2_004089B8
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: GetLocaleInfoA,14_2_00408A04
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,15_2_6F8DEF5C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,free,_calloc_crt,strncpy_s,GetLocaleInfoW,GetLocaleInfoW,_calloc_crt,GetLocaleInfoW,GetLastError,_calloc_crt,free,free,__invoke_watson,15_2_6F86767A
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,malloc,15_2_6F86750C
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,_freea_s,15_2_6F8674D3
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,strcmp,strcmp,GetLocaleInfoW,atol,GetACP,15_2_6F8673B4
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,15_2_6F8DF356
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,15_2_6F8DF2EF
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoA,_errno,_invalid_parameter_noinfo,_errno,_invalid_parameter_noinfo,_errno,15_2_6F8652E4
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,_stricmp,_stricmp,_TestDefaultLanguage,15_2_6F8DF22F
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_itoa_s,__fassign,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,strcpy_s,__invoke_watson,15_2_6F867270
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: GetLocaleInfoW,_GetPrimaryLen,_strlen,15_2_6F8DF003
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: _getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,_stricmp,GetLocaleInfoA,_stricmp,_strnicmp,_strlen,GetLocaleInfoA,_stricmp,_strlen,_stricmp,_TestDefaultLanguage,15_2_6F8DF05E
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeQueries volume information: \Device\CdRom0\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeQueries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpQueries volume information: C:\Windows\SysWOW64\iconv.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmpQueries volume information: C:\Windows\SysWOW64\libxml2.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00458DC4 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,14_2_00458DC4
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_004026C4 GetSystemTime,13_2_004026C4
Source: C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmpCode function: 14_2_00455D38 GetUserNameA,14_2_00455D38
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F8217F0 mprMakeTime,GetTimeZoneInformation,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,_localtime64,GetTimeZoneInformation,15_2_6F8217F0
Source: C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exeCode function: 13_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,13_2_00404654
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Overwrites Mozilla Firefox settings
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert8.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key3.db

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\secmod.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert5.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert7.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert6.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key3.db
Source: C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert8.db
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F82ED00 mprListenOnSocket,EnterCriticalSection,memcpy,mprGetSocketInfo,socket,setsockopt,setsockopt,setsockopt,closesocket,LeaveCriticalSection,bind,_errno,_errno,mprTraceProc,_errno,mprTraceProc,GetLastError,closesocket,SetLastError,listen,mprGetOsError,mprTraceProc,setsockopt,mprSetSocketBlockingMode,mprSetSocketNoDelay,LeaveCriticalSection,15_2_6F82ED00
Source: C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exeCode function: 15_2_6F817060 mprSetSocketPrebindCallback,15_2_6F817060

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Windows Management Instrumentation		1
Scripting		1
Exploitation for Privilege Escalation		21
Disable or Modify Tools		1
OS Credential Dumping		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop Protocol1
Browser Session Hijacking		2
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts13
Command and Scripting Interpreter		43
Windows Service		1
Access Token Manipulation		4
Obfuscated Files or Information		Security Account Manager1
Account Discovery		SMB/Windows Admin Shares1
Data from Local System		1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts22
Service Execution		Login Hook43
Windows Service		1
Install Root Certificate		NTDS3
File and Directory Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script13
Process Injection		1
Software Packing		LSA Secrets28
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials21
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync3
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job33
Masquerading		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Access Token Manipulation		/etc/passwd and /etc/shadow3
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron13
Process Injection		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Regsvr32		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546329 Sample: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE Startdate: 31/10/2024 Architecture: WINDOWS Score: 40 165 209.183.8.0.in-addr.arpa 2->165 171 Antivirus / Scanner detection for submitted sample 2->171 173 Multi AV Scanner detection for submitted file 2->173 175 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->175 177 2 other signatures 2->177 13 WIN_SCM_RDM_INSTALL_4.0.4.0.EXE 2 2->13         started        16 msiexec.exe 2->16         started        18 RDMAppman.exe 2->18         started        20 RDMAppman.exe 2->20         started        signatures3 process4 file5 151 C:\Users\...\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp, PE32 13->151 dropped 22 WIN_SCM_RDM_INSTALL_4.0.4.0.tmp 5 17 13->22         started        153 C:\Windows\SysWOW64\vcomp100.dll, PE32 16->153 dropped 155 C:\Windows\SysWOW64\mfcm100u.dll, PE32 16->155 dropped 157 C:\Windows\SysWOW64\mfcm100.dll, PE32 16->157 dropped 159 16 other files (none is malicious) 16->159 dropped 25 RDMAppweb.exe 18->25         started        27 RDMAppweb.exe 20->27         started        process6 file7 115 C:\Users\user\AppData\Local\...\is-VP3PB.tmp, PE32 22->115 dropped 117 C:\Users\user\AppData\Local\...\is-E0EB0.tmp, PE32 22->117 dropped 119 C:\Users\user\AppData\Local\...\is-83PD6.tmp, PE32 22->119 dropped 121 4 other files (none is malicious) 22->121 dropped 29 WIN_DA_Install_4.0.4.0.exe 2 22->29         started        32 WIN_SCM_Support_4.0.3.1.exe 22->32         started        34 conhost.exe 25->34         started        36 conhost.exe 27->36         started        process8 file9 161 C:\Users\user\...\WIN_DA_INSTALL_4.0.4.0.tmp, PE32 29->161 dropped 38 WIN_DA_INSTALL_4.0.4.0.tmp 31 88 29->38         started        163 C:\Users\user\...\WIN_SCM_SUPPORT_4.0.3.1.tmp, PE32 32->163 dropped 41 WIN_SCM_SUPPORT_4.0.3.1.tmp 32->41         started        process10 file11 123 C:\Windows\SysWOW64\zlib1.dll (copy), PE32 38->123 dropped 125 C:\Windows\SysWOW64\libxml2.dll (copy), PE32 38->125 dropped 127 C:\Windows\SysWOW64\is-B1058.tmp, PE32 38->127 dropped 135 22 other files (none is malicious) 38->135 dropped 43 RDM_ROOT_CERTIFICATE.exe 38->43         started        46 rdmappweb-4.6.0-ms-windows-x86.exe 2 38->46         started        48 vcredist_x86.exe 38->48         started        50 12 other processes 38->50 129 C:\Windows\SysWOW64\is-7IV3V.tmp, PE32 41->129 dropped 131 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 41->131 dropped 133 C:\...\unins000.exe (copy), PE32 41->133 dropped 137 5 other files (none is malicious) 41->137 dropped process12 file13 139 C:\Users\user\...\RDM_ROOT_CERTIFICATE.tmp, PE32 43->139 dropped 52 RDM_ROOT_CERTIFICATE.tmp 43->52         started        141 C:\...\rdmappweb-4.6.0-ms-windows-x86.tmp, PE32 46->141 dropped 55 rdmappweb-4.6.0-ms-windows-x86.tmp 28 49 46->55         started        143 C:\8ae2907c08a3ced0022a08\sqmapi.dll, PE32 48->143 dropped 145 C:\8ae2907c08a3ced0022a08\SetupUi.dll, PE32 48->145 dropped 147 C:\8ae2907c08a3ced0022a08\SetupEngine.dll, PE32 48->147 dropped 149 11 other files (none is malicious) 48->149 dropped 57 Setup.exe 48->57         started        60 conhost.exe 50->60         started        62 conhost.exe 50->62         started        64 conhost.exe 50->64         started        66 18 other processes 50->66 process14 file15 99 C:\Users\user\AppData\...\certutil.exe (copy), PE32 52->99 dropped 101 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 52->101 dropped 103 C:\Users\user\AppData\...\ssl3.dll (copy), PE32 52->103 dropped 111 26 other files (none is malicious) 52->111 dropped 68 cmd.exe 52->68         started        70 certmgr.exe 52->70         started        105 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 55->105 dropped 107 C:\...\unins000.exe (copy), PE32 55->107 dropped 109 C:\Program Files (x86)\...\is-SAE1N.tmp, PE32 55->109 dropped 113 38 other files (none is malicious) 55->113 dropped 73 RDMAppman.exe 2 55->73         started        75 RDMAppman.exe 2 55->75         started        77 RDMAppman.exe 55->77         started        181 Installs new ROOT certificates 57->181 79 Conhost.exe 60->79         started        signatures16 process17 signatures18 81 certutil.exe 68->81         started        85 conhost.exe 68->85         started        87 cmd.exe 68->87         started        179 Installs new ROOT certificates 70->179 89 conhost.exe 70->89         started        91 Conhost.exe 70->91         started        process19 file20 93 C:\Users\user\AppData\Roaming\...\secmod.db, Berkeley 81->93 dropped 95 C:\Users\user\AppData\Roaming\...\key3.db, Berkeley 81->95 dropped 97 C:\Users\user\AppData\Roaming\...\cert8.db, Berkeley 81->97 dropped 167 Overwrites Mozilla Firefox settings 81->167 169 Tries to harvest and steal browser information (history, passwords, etc) 81->169 signatures21

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WIN_SCM_RDM_INSTALL_4.0.4.0.EXE29%ReversingLabs
WIN_SCM_RDM_INSTALL_4.0.4.0.EXE100%AviraTR/Redcap.brxte

Dropped Files

SourceDetectionScannerLabelLink
C:\8ae2907c08a3ced0022a08\1028\SetupResources.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\1031\SetupResources.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\1033\SetupResources.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\1036\SetupResources.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\1040\SetupResources.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\1041\SetupResources.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\1042\SetupResources.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\1049\SetupResources.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\2052\SetupResources.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\3082\SetupResources.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\Setup.exe0%ReversingLabs
C:\8ae2907c08a3ced0022a08\SetupEngine.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\SetupUi.dll0%ReversingLabs
C:\8ae2907c08a3ced0022a08\sqmapi.dll0%ReversingLabs
C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\CertMgr.Exe (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMSAPIDLL.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDa.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmSCMWrap.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\install (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-0NOPJ.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-291AF.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-3OIE9.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-57V4T.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-5AMK2.tmp2%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-B76PT.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-BS9SC.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-C0VMN.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-C9PV1.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DHMM3.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-E2KL5.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-ENH3B.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-HU82P.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-I730K.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-K96FQ.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KLGM9.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-ODEF1.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-P19FD.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-PLTOC.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-UCURD.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-VBVGN.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libappweb.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libeay32.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libhttp.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_cgi.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_esp.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_ssl.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmpr.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmprssl.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libpcre.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libslink.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\msvcr100.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\removeFiles.exe (copy)2%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\ssleay32.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\uninstall (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_d8f75e92d1eafb54afba47fcb3fb7417.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_e1e6248d4d6cd4c6f1780d87dae23f0e.dll (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-0O571.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-PBL1C.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-SBL4H.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\is-66AM3.tmp0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\vcredist_x86.exe (copy)0%ReversingLabs
C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\is-SAE1N.tmp4%ReversingLabs
C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\unins000.exe (copy)4%ReversingLabs
C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\is-R0CGS.tmp2%ReversingLabs
C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\unins000.exe (copy)2%ReversingLabs
C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_SCM_Support\is-NU2T0.tmp2%ReversingLabs
C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_SCM_Support\unins000.exe (copy)2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\is-5LMKM.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\is-84VHQ.tmp2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\is-UG9QC.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe (copy)2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe (copy)0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-DIRJS.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-NBB3F.tmp\_isetup\_setup64.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exe (copy)2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_RDM_Support_4.0.3.1.exe (copy)4%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://jqueryui.com0%URL Reputationsafe
http://www.chambersign.org10%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://repository.swisssign.com/00%URL Reputationsafe
https://bugs.webkit.org/show_bug.cgi?id=290840%URL Reputationsafe
https://www.remobjects.com/ps0%URL Reputationsafe
https://www.innosetup.com/0%URL Reputationsafe
http://policy.camerfirma.com00%URL Reputationsafe
http://www.innosetup.com/0%URL Reputationsafe
https://developer.mozilla.org/en-US/docs/CSS/display0%URL Reputationsafe
http://www.quovadis.bm00%URL Reputationsafe
http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
http://jquery.org/license0%URL Reputationsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
http://sizzlejs.com/0%URL Reputationsafe
http://www.firmaprofesional.com/cps00%URL Reputationsafe
http://crl.securetrust.com/SGCA.crl00%URL Reputationsafe
http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript0%URL Reputationsafe
http://crl.securetrust.com/STCA.crl00%URL Reputationsafe
http://www.openssl.org/support/faq.html0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
209.183.8.0.in-addr.arpa
unknown
unknownfalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUWIN_SCM_RDM_INSTALL_4.0.4.0.EXEfalse
      		unknown
      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0is-FHH1A.tmp.34.drfalse
        		unknown
        http://www.rdmcorp.com//industries-served/check-cashingWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
          		unknown
          http://crl.chambersign.org/chambersroot.crl0is-FHH1A.tmp.34.drfalse
            		unknown
            http://www.rdmcorp.com/supportWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
              		unknown
              http://www.rdmcorp.com/payment-processing-solutionsWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                		unknown
                http://jqueryui.comWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, is-FUR3P.tmp.3.drfalse
                • URL Reputation: safe
                		unknown
                http://www.certifikat.dk/repository0is-FHH1A.tmp.34.drfalse
                  		unknown
                  http://www.chambersign.org1is-FHH1A.tmp.34.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0is-FHH1A.tmp.34.drfalse
                    		unknown
                    http://embedthis.com/products/appweb/doc/guide/appweb/users/authentication.html.rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000002.1884824094.000000000018E000.00000004.00000010.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.diginotar.nl/cps/pkioverheid0is-FHH1A.tmp.34.drfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.pkioverheid.nl/policies/root-policy0is-FHH1A.tmp.34.drfalse
                        		unknown
                        http://repository.swisssign.com/0is-FHH1A.tmp.34.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.phreedom.org/md5)MD5is-FHH1A.tmp.34.drfalse
                          		unknown
                          https://bugs.webkit.org/show_bug.cgi?id=29084WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlis-FHH1A.tmp.34.drfalse
                            		unknown
                            http://www.ascc.net/xml/schematronWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmpfalse
                              		unknown
                              http://ca.disig.sk/ca/crl/ca_disig.crl0is-FHH1A.tmp.34.drfalse
                                		unknown
                                http://blindsignals.com/index.php/2009/07/jquery-delay/WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://bugs.jquery.com/ticket/12282#comment:15WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, is-FUR3P.tmp.3.drfalse
                                      		unknown
                                      http://dev.w3.org/csswg/cssom/#resolved-valuesWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.rdmcorp.com/digital-imaging-solutions/check-scannersWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.certplus.com/CRL/class2.crl0is-FHH1A.tmp.34.drfalse
                                            		unknown
                                            http://www.disig.sk/ca/crl/ca_disig.crl0is-FHH1A.tmp.34.drfalse
                                              		unknown
                                              http://www.rdmcorp.com/company/industry-linksWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.remobjects.com/psWIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.tmp, 00000001.00000000.1722272904.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.rdmcorp.com/contactWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.innosetup.com/WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720249194.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.EXE, 00000000.00000003.1720610315.000000007FB50000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_RDM_INSTALL_4.0.4.0.tmp, 00000001.00000000.1722272904.0000000000401000.00000020.00000001.01000000.00000004.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp.61.drfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.sk.ee/cps/0is-FHH1A.tmp.34.drfalse
                                                    		unknown
                                                    https:///admin/login.esprdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000002.1884824094.000000000018E000.00000004.00000010.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://github.com/jquery/jquery/pull/764WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.rdmcorp.com/payment-processing-solutions/image-cash-letterWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://policy.camerfirma.com0is-FHH1A.tmp.34.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://schemas.microsofteula.rtf2.30.drfalse
                                                            		unknown
                                                            http://www.innosetup.com/rdmappweb-4.6.0-ms-windows-x86.tmp, rdmappweb-4.6.0-ms-windows-x86.tmp, 0000000E.00000000.1852957625.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059460300.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059650105.00000000021C8000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000022.00000002.2087081373.0000000000401000.00000020.00000001.01000000.0000001F.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://ocsp.pki.gva.es0is-FHH1A.tmp.34.drfalse
                                                              		unknown
                                                              http://www.phreedom.org/md5)is-FHH1A.tmp.34.drfalse
                                                                		unknown
                                                                http://www.rdmcorp.comWIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2194477307.0000000003480000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2301400036.00000000025E3000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://crl.oces.certifikat.dk/oces.crl0is-FHH1A.tmp.34.drfalse
                                                                    		unknown
                                                                    http://bugs.jquery.com/ticket/12359WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.certicamara.com/dpc/0Zis-FHH1A.tmp.34.drfalse
                                                                        		unknown
                                                                        http://www.rdmcorp.com/news-and-eventsWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://crl.pki.wellsfargo.com/wsprca.crl0is-FHH1A.tmp.34.drfalse
                                                                            		unknown
                                                                            https://bugzilla.mozilla.org/show_bug.cgi?id=649285WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinerdmappweb-4.6.0-ms-windows-x86.exe, rdmappweb-4.6.0-ms-windows-x86.exe, 0000000D.00000000.1851464606.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000000.2058657491.0000000000401000.00000020.00000001.01000000.0000001E.sdmpfalse
                                                                                		unknown
                                                                                http://www.rdmcorp.com/privacy-statementWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://www.rdmcorp.com/industries-served/brokerage-firmsWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-contextWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://acedicom.edicomgroup.com/doc0is-FHH1A.tmp.34.drfalse
                                                                                        		unknown
                                                                                        https://developer.mozilla.org/en-US/docs/CSS/displayWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://www.entrust.net/CRL/net1.crl0is-FHH1A.tmp.34.drfalse
                                                                                          		unknown
                                                                                          https://www.catcert.net/verarrelis-FHH1A.tmp.34.drfalse
                                                                                            		unknown
                                                                                            http://www.disig.sk/ca0fis-FHH1A.tmp.34.drfalse
                                                                                              		unknown
                                                                                              http://www.e-szigno.hu/RootCA.crlis-FHH1A.tmp.34.drfalse
                                                                                                		unknown
                                                                                                https://developer.mozilla.org/en/Security/CSP)WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://crl.microsofSetup.exe, 0000001F.00000003.1995143975.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.sk.ee/juur/crl/0is-FHH1A.tmp.34.drfalse
                                                                                                      		unknown
                                                                                                      http://www.zlib.net/DWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000002.2172919720.000000000018E000.00000004.00000010.00020000.00000000.sdmp, WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2300820202.0000000003764000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://crl.chambersign.org/chambersignroot.crl0is-FHH1A.tmp.34.drfalse
                                                                                                          		unknown
                                                                                                          http://crl.xrampsecurity.com/XGCA.crl0is-FHH1A.tmp.34.drfalse
                                                                                                            		unknown
                                                                                                            http://www.rdmcorp.com/payment-processing-solutions/data-managementWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://www.rdmcorp.com/payment-processing-solutions/remote-deposit-captureWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://localhost:736/SCM/4.0/scm.espWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005AE9000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://www.rdmcorp.com/company/careersWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.quovadis.bm0is-FHH1A.tmp.34.drfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://www.trustdst.com/certificates/policy/ACES-index.html0is-FHH1A.tmp.34.drfalse
                                                                                                                      		unknown
                                                                                                                      http://www.firmaprofesional.com0is-FHH1A.tmp.34.drfalse
                                                                                                                        		unknown
                                                                                                                        https://github.com/jquery/sizzle/pull/225WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.pkioverheid.nl/policies/root-policy-G20is-FHH1A.tmp.34.drfalse
                                                                                                                            		unknown
                                                                                                                            https://bugzilla.mozilla.org/show_bug.cgi?id=491668WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://www.rdmcorp.com/industries-served/property-managementWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://www.netlock.net/docsis-FHH1A.tmp.34.drfalse
                                                                                                                                  		unknown
                                                                                                                                  http://www.phreedom.org/md5)0is-FHH1A.tmp.34.drfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlis-FHH1A.tmp.34.drfalse
                                                                                                                                      		unknown
                                                                                                                                      http://crl.entrust.net/2048ca.crl0is-FHH1A.tmp.34.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.rdmcorp.com&RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2088264797.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000003.2059131336.00000000021C1000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2062075406.0000000002218000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOT_CERTIFICATE.tmp, 00000022.00000003.2086733217.0000000002218000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.rdmcorp.com/payment-processing-solutions/remittance-processingWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNGis-BS9SC.tmp.14.drfalse
                                                                                                                                            		unknown
                                                                                                                                            http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0is-FHH1A.tmp.34.drfalse
                                                                                                                                              		unknown
                                                                                                                                              http://fedir.comsign.co.il/crl/ComSignCA.crl0is-FHH1A.tmp.34.drfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.rdmcorp.com/company/board-of-directorsWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://jquery.org/licenseWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://ocsp.entrust.net03is-FHH1A.tmp.34.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://www.openssl.org/Vis-BS9SC.tmp.14.drfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUrdmappweb-4.6.0-ms-windows-x86.exe, 0000000D.00000000.1851464606.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, RDM_ROOT_CERTIFICATE.exe, 00000021.00000000.2058657491.0000000000401000.00000020.00000001.01000000.0000001E.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://cps.chambersign.org/cps/chambersroot.html0is-FHH1A.tmp.34.drfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://sizzlejs.com/WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.rdmcorp.comQ64WIN_SCM_Support_4.0.3.1.exe, 0000003D.00000003.2306212319.0000000002343000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.firmaprofesional.com/cps0is-FHH1A.tmp.34.drfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://crl.securetrust.com/SGCA.crl0is-FHH1A.tmp.34.drfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://purl.oclc.org/dsdl/schematronWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://jsperf.com/getall-vs-sizzle/2WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascriptWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://crl.securetrust.com/STCA.crl0is-FHH1A.tmp.34.drfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.openssl.org/support/faq.htmlis-BS9SC.tmp.14.drfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.rdmcorp.com/industries-served/financial-institutionsWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://github.com/jquery/jquery/pull/557)WIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.0000000005050000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtdConvertingWIN_DA_INSTALL_4.0.4.0.tmp, 00000003.00000003.2165888393.00000000056ED000.00000004.00001000.00020000.00000000.sdmp, WIN_SCM_SUPPORT_4.0.3.1.tmp, 0000003E.00000003.2294107474.0000000005576000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown

                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                  No contacted IP infos

                                                                                                                                                                  General Information

                                                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                  Analysis ID:1546329
                                                                                                                                                                  Start date and time:2024-10-31 19:21:41 +01:00
                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 11m 13s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:full
                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                  Number of analysed new started processes analysed:69
                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Sample name:WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal40.phis.spyw.evad.winEXE@113/493@1/0
                                                                                                                                                                  EGA Information:
                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                  HCA Information:
                                                                                                                                                                  • Successful, ratio: 93%
                                                                                                                                                                  • Number of executed functions: 183
                                                                                                                                                                  • Number of non-executed functions: 297
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Found application associated with file extension: .EXE
                                                                                                                                                                  • Stop behavior analysis, all processes terminated

                                                                                                                                                                  Warnings

                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                  • VT rate limit hit for: WIN_SCM_RDM_INSTALL_4.0.4.0.EXE

                                                                                                                                                                  Simulations

                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                  14:22:54API Interceptor40x Sleep call for process: RDMAppweb.exe modified

                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                  IPs

                                                                                                                                                                  No context

                                                                                                                                                                  Domains

                                                                                                                                                                  No context

                                                                                                                                                                  ASNs

                                                                                                                                                                  No context

                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                  No context

                                                                                                                                                                  Dropped Files

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  C:\8ae2907c08a3ced0022a08\1031\SetupResources.dllhttps://storage.googleapis.com/vectric_public/Cut2DDesktopTrialEdition_Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    https://download.info.apple.com/Mac_OS_X/031-30890-20150812-ea191174-4130-11e5-a125-930911ba098f/bootcamp5.1.5769.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                      Kiwi_Syslog_Server_9.8.2.Freeware.setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                        ESjy0irMIn.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                          dotNetFx40_Full_setup.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                                            Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                https://files.jalinga.com/builds/releases/jalinga_studio.4.0.2040.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                  dotNetFx40_Full_x86_x64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                    https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6QGet hashmaliciousUnknownBrowse
                                                                                                                                                                                      C:\8ae2907c08a3ced0022a08\1028\SetupResources.dllhttps://storage.googleapis.com/vectric_public/Cut2DDesktopTrialEdition_Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                        https://download.info.apple.com/Mac_OS_X/031-30890-20150812-ea191174-4130-11e5-a125-930911ba098f/bootcamp5.1.5769.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                          Kiwi_Syslog_Server_9.8.2.Freeware.setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            ESjy0irMIn.exeGet hashmaliciousNjratBrowse
                                                                                                                                                                                              dotNetFx40_Full_setup.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                                                                                Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                  http://download.arxivar.it/Tools/Prerequisiti/vcredist_x86_2010.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                    https://files.jalinga.com/builds/releases/jalinga_studio.4.0.2040.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      dotNetFx40_Full_x86_x64.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        https://gscs-b2c.lge.com/downloadFile?fileId=JCmfbdhuo6i4ujSC2MbC6QGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\$shtdwn$.req

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):788
                                                                                                                                                                                                          Entropy (8bit):0.09823380614560741
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:lbll/:lB
                                                                                                                                                                                                          MD5:DF7119A5D3CAEDA80BF0FB6F8E53DE8F
                                                                                                                                                                                                          SHA1:76458E1D2E0FA4519FACB71A5F23F8799713BE2B
                                                                                                                                                                                                          SHA-256:3C418A401CBE09F64EDE6E598C5CA36717830446147C8EF6327168EDC7B1CB0C
                                                                                                                                                                                                          SHA-512:85142D1942111783303FA060348BC76B1DD361336DCCC9DC9CDD3432EC6CF215756CBA66A367E560C9D5719BA4F585434319A66D9A97D9A09F5AC4A752B00B6C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:Sdwn................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1028\LocalizedData.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (388), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):30672
                                                                                                                                                                                                          Entropy (8bit):4.2936704552740705
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:4Y6C7xfsxMEYgPNRAsy50keJzH7o3oDPnv:MxLJz7
                                                                                                                                                                                                          MD5:7FC06A77D9AAFCA9FB19FAFA0F919100
                                                                                                                                                                                                          SHA1:E565740E7D582CD73F8D3B12DE2F4579FF18BB41
                                                                                                                                                                                                          SHA-256:A27F809211EA1A2D5224CD01101AA3A59BF7853168E45DE28A16EF7ED6ACD46A
                                                                                                                                                                                                          SHA-512:466DCC6A5FB015BE1619F5725FA62CA46EB0FB428E11F93FD9D82E5DF61C3950B3FB62D4DB7746CC4A2BE199E5E69EAA30B6F3354E0017CFA14D127FAD52F8CF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .x.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P.[..z._.... .I.A.6.4. .s^.S..!q.l.[.(W...Ps^.S.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."....P\Omi.|q}.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. ..SI.ce|vWY.N.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1028\SetupResources.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):14168
                                                                                                                                                                                                          Entropy (8bit):5.9724110685335825
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:fc2+tUfwZWPl53LmlVlSW1g+/axw0lczWpXEWUQKPnEtObMacxc8hjeyveCXzHbk:hzuwLmlCW1g+/kmzWpXEWULXci2jpv3e
                                                                                                                                                                                                          MD5:7C136B92983CEC25F85336056E45F3E8
                                                                                                                                                                                                          SHA1:0BB527E7004601E920E2AAC467518126E5352618
                                                                                                                                                                                                          SHA-256:F2E8CA58FA8D8E694D04E14404DEC4E8EA5F231D3F2E5C2F915BD7914849EB2B
                                                                                                                                                                                                          SHA-512:06DA50DDB2C5F83E6E4B4313CBDAE14EED227EEC85F94024A185C2D7F535B6A68E79337557727B2B40A39739C66D526968AAEDBCFEF04DAB09DC0426CFBEFBF4
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: Kiwi_Syslog_Server_9.8.2.Freeware.setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: ESjy0irMIn.exe, Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: dotNetFx40_Full_setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: dotNetFx40_Full_x86_x64.exe, Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@......E.....@.......................................... ..X............ ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1028\eula.rtf

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):188446
                                                                                                                                                                                                          Entropy (8bit):4.98936861773382
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:vjB8N7T+SN6FY5PmQlivKawlrIMUkYfkv8CshgJNgRJAoJvIrOJBElrhzxQXK6uG:o7SSN6FYtmQlivKawlrIMUkYfkv8Cs4U
                                                                                                                                                                                                          MD5:129D8E8824B0D545ADC29E571A6E2C02
                                                                                                                                                                                                          SHA1:5A1DDFCD2AE21D96C818D315CB5E263F525A39CD
                                                                                                                                                                                                          SHA-256:83B8268E2874699227F9B1AD3F72A06CBF474EFA3983F5C5EE9BFE415DB98476
                                                                                                                                                                                                          SHA-512:1048F646D5866DC8736DB0A023A65A7E208A5F56774FA8EC5D59E4272A54A9A6E94B01B84293A7EC9F889BAD7865522E783AF30BF61BB9249687DCEAC62066D8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch14\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????\'a1\'ec???};}{\f14\fbidi \froman\fcharset136\fprq2{\*\panose 02020500000000000000}PMingLiU{\*\falt \'b7\'73\'b2\'d3\'a9\'fa\'c5\'e9};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\fa

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1031\LocalizedData.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (615), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):41622
                                                                                                                                                                                                          Entropy (8bit):3.577523249714746
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:4nF+jpoHnZi8oO0GOJ2+8q6OUjEYJL/ZiITrKv:V03XjZJL/YIy
                                                                                                                                                                                                          MD5:B83C3803712E61811C438F6E98790369
                                                                                                                                                                                                          SHA1:61A0BC59388786CED045ACD82621BEE8578CAE5A
                                                                                                                                                                                                          SHA-256:2AA6E8D402E44D9EE895B18195F46BF90259DE1B6F44EFD46A7075B110F2DCD6
                                                                                                                                                                                                          SHA-512:E020F93E3A082476087E690AD051F1FEB210E0915924BB4548CC9F53A7EE2760211890EB6036CE9E5E4A311ABC0300E89E25EFBBB894C2A621FFBC9D64CC8A38
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .x.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.a.l.l.i.e.r.t. .w.e.r.d.e.n..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".D.i.e.s.e.s. .S.e.t.u.p.p.r.o.g.r.a.m.m. .e.r.f.o.r.d.e.r.t. .e.i.n.e. .I.A.6.4.-.P.l.a.t.t.f.o.r.m... .E.s. .k.a.n.n. .n.i.c.h.t. .a.u.f. .d.e.r. .P.l.a.t.t.f.o.r.m. .i.n.s.t.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1031\SetupResources.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):18776
                                                                                                                                                                                                          Entropy (8bit):5.135663555520085
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:lQ16m3rhGrcHN/USYvYVA9WKieW8bLXci2jXHU2Ze:lEhCSVYvYVAA+Mi2jXHU2A
                                                                                                                                                                                                          MD5:7C9AE49B3A400C728A55DD1CACC8FFB2
                                                                                                                                                                                                          SHA1:DD3A370F541010AD650F4F6AA42E0CFC68A00E66
                                                                                                                                                                                                          SHA-256:402C796FEBCD78ACE8F1C5975E39193CFF77F891CFF4D32F463F9A9C83806D4A
                                                                                                                                                                                                          SHA-512:D30FE9F78A49C533BE5C00D88B8C2E66A8DFAC6D1EAE94A230CD937F0893F6D4A0EECE59C1D2C3C8126FFA9A9648EC55A94E248CD8C7F9677F45C231F84F221B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: Kiwi_Syslog_Server_9.8.2.Freeware.setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: ESjy0irMIn.exe, Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: dotNetFx40_Full_setup.exe, Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: Scotiabank_Scanner_Driver_DigitalCheck-42180-1310v3.exe, Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: dotNetFx40_Full_x86_x64.exe, Detection: malicious, Browse
                                                                                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P.......D....@.......................................... ..`+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1031\eula.rtf

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):163866
                                                                                                                                                                                                          Entropy (8bit):5.029712171633306
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:oiJ+vgRJA8J/snalBEm0OgKXIJR10GZybh2C:aQ
                                                                                                                                                                                                          MD5:117DABB5A055B09B6DB6BCBA8F911073
                                                                                                                                                                                                          SHA1:E8F5D907939400824CC5DADB681852C35CA7BB79
                                                                                                                                                                                                          SHA-256:DAEA9CD8151A2C24A87C3254DEC1DE0463234E44922C8E0AA4E01AB58EC89664
                                                                                                                                                                                                          SHA-512:E995D03998BE9F07F9E9B8566E429D3795ADBDEEEFB2048D6B8877CE15A0ABFCE4FAAEE8DC773250495C15CC35FD0040D81593B51067533836D5F3CF8612D3C4
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????\'a1\'ec???};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fpr

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1033\LocalizedData.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (565), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):39246
                                                                                                                                                                                                          Entropy (8bit):3.5443876937052083
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:4kVKhG9aX0SDpI53/asO0KMv+VXxwVcPIv5COQu4SLbpmQVX5FB0zJOkue6Jjfz3:4MKhJkeZsdlNl9SJOkR6NXaxu
                                                                                                                                                                                                          MD5:D642E322D1E8B739510CA540F8E779F9
                                                                                                                                                                                                          SHA1:36279C76D9F34C09EBDDC84FD33FCC7D4B9A896C
                                                                                                                                                                                                          SHA-256:5D90345FF74E177F6DA8FB6459C1CFCAC080E698215CA75FEB130D0D1F2A76B9
                                                                                                                                                                                                          SHA-512:E1E16AE14BC7CC1608E1A08D3C92B6D0518B5FABD27F2C0EB514C87AFC3D6192BF7A793A583AFC65F1899F03DC419263B29174456E1EC9AB0F0110E0258E0F0D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .x.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".T.h.i.s. .s.e.t.u.p. .p.r.o.g.r.a.m. .r.e.q.u.i.r.e.s. .a.n. .I.A.6.4. .p.l.a.t.f.o.r.m... .I.t. .c.a.n.n.o.t. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .t.h.i.s. .p.l.a.t.f.o.r.m...". ./.>..... . . . . . .<.T.e.x.t. .

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1033\SetupResources.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):17240
                                                                                                                                                                                                          Entropy (8bit):5.151474565875158
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:byk5nUfwTW7JwWp0eW6jp8M+9HS8bC/TJs7kFkzQKPnEtObMacxc8hjeyveCXZBe:pgoTWp0eWB9ygC/TfFkzLXci2jpv8
                                                                                                                                                                                                          MD5:9547D24AC04B4D0D1DBF84F74F54FAF7
                                                                                                                                                                                                          SHA1:71AF6001C931C3DE7C98DDC337D89AB133FE48BB
                                                                                                                                                                                                          SHA-256:36D0159ED1A7D88000737E920375868765C0A1DD6F5A5ACBB79CF7D97D9E7A34
                                                                                                                                                                                                          SHA-512:8B6048F4185A711567679E2DE4789407077CE5BFE72102D3CB1F23051B8D3E6BFD5886C801D85B4E62F467DD12DA1C79026A4BC20B17F54C693B2F24E499D40F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........(...............................................P......<f....@.......................................... ...%...........,..X............................................................................................text...G...........................@..@.rsrc....%... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1033\eula.rtf

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):7080
                                                                                                                                                                                                          Entropy (8bit):4.934776172726828
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:9fcddvfbS9u6zZ+kodpj4eQ1lhcgi5X90vJqpsSih2:y/fbSZ/odpjmlhcgi5NSkRA2
                                                                                                                                                                                                          MD5:19D028345AADCC05697EEC6D8C5B5874
                                                                                                                                                                                                          SHA1:70BD3D4D51373FB82F0257F28D5F3609BFC82520
                                                                                                                                                                                                          SHA-256:F4FF4EACE31B75176A0806E1693041D546D2599AEC0C77D295BAD09CAC7D9FE7
                                                                                                                                                                                                          SHA-512:9B3DFFEC7C1595197AF69E59094588541558BEF56982475DDDD2C9E3D75FC8B970B384452713632AE20435EC0CAEC6CC4CD8CEC9CD4B4809335FDC9F2CC7B842
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset0 Times New Roman;}{\f2\froman\fprq2\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Msftedit 5.41.21.2508;}\viewkind4\uc1\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT SOFTWARE LICENSE TERMS\f1\par..\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120\f0 MICROSOFT VISUAL C++ 2010 RUNTIME LIBRARIES\f1\par..\pard\nowidctlpar\sb120\sa120\b0\f0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft\f1\par..\pard\nowidctlpar\fi-360\li360\sb120\sa120\tx360\f2\'b7\tab\f0 updates,\f1\par..\f2\'b7\tab\f0 supplements,\f1\par..\f2\'b7\tab\f0 Internet-based services, and \f1\par..\f2\'b7\tab\f0 support services\f1\par.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1036\LocalizedData.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (619), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):41492
                                                                                                                                                                                                          Entropy (8bit):3.5522209001567364
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:4GrYAOJoFbZZ0eQiFaD4EbJeiI5hJUPu2oBknXoFDYnZCoroUnAJJFHq20/kFR/0:4GZUoRZc5ryx2fHIJR0kbG52gjfVv
                                                                                                                                                                                                          MD5:E382ABC19294F779D2833287242E7BC6
                                                                                                                                                                                                          SHA1:1CEAE32D6B24A3832F9244F5791382865B668A72
                                                                                                                                                                                                          SHA-256:43F913FF28D677316F560A0F45221F35F27CFAF5FC5BD645974A82DCA589EDBF
                                                                                                                                                                                                          SHA-512:06054C8048CADE36A3AF54F9A07FD8FA5EB4F3228790996D2ABEA7EE1EE7EB563D46BD54FF97441F9610E778194082C44E66C5F566C9C50A042ABA9EB9CAE25E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .x.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.l.l... .s.u.r. .c.e.t.t.e. .p.l.a.t.e.f.o.r.m.e..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".C.e. .p.r.o.g.r.a.m.m.e. .d.'.i.n.s.t.a.l.l.a.t.i.o.n. .r.e.q.u.i.e.r.t. .u.n.e. .p.l.a.t.e.f.o.r.m.e. .I.A.6.4... .I.l. .n.e. .p.e.u.t. .p.a.s. ...t.r.e. .i.n.s.t.a.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1036\SetupResources.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):18776
                                                                                                                                                                                                          Entropy (8bit):5.112489568342605
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:J7Z66AY9li3OoDDkbiWpQeWELXci2jpv8:JffiZDgycMi2jpv8
                                                                                                                                                                                                          MD5:93F57216FE49E7E2A75844EDFCCC2E09
                                                                                                                                                                                                          SHA1:DCCD52787F147E9581D303A444C8EE134AFC61A8
                                                                                                                                                                                                          SHA-256:2506827219B461B7C6C862DAE29C8BFF8CB7F4A6C28D2FF60724CAC70903987D
                                                                                                                                                                                                          SHA-512:EADFFB534C5447C24B50C7DEFA5902F9EB2DCC4CF9AF8F43FA889B3367EA25DFA6EA87FF89C59F1B7BBF7106888F05C7134718021B44337AE5B7D1F808303BB1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P......B|....@.......................................... ...+...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1036\eula.rtf

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):162915
                                                                                                                                                                                                          Entropy (8bit):5.023428742885146
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:Xn6ipERiA7JzI3ilBEBr97dQnKG5zpZ27KN4:KiZ
                                                                                                                                                                                                          MD5:BBBBB0BDA00FDA985BB39FEE5FD04FF8
                                                                                                                                                                                                          SHA1:3053CF30FAD92F133AD3EA7EEFB8C729D323EA00
                                                                                                                                                                                                          SHA-256:3CB591E6801E91FE58E79449F7C99B88C3BA0ACE5D922B4AA0C8F2CDD81854BD
                                                                                                                                                                                                          SHA-512:32CC1B0F033B13D7614F8BD80DE4D3F9D4668632010BCB563E90773FB2F4971D19206C46B0C2B0E55308CA14F4DEAF5EB415DAE5F2C0C4331B5DF0AE44B2F61E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ????????????????????????????\'a1\'a7??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fswiss\f

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1040\LocalizedData.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (601), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):40338
                                                                                                                                                                                                          Entropy (8bit):3.5295538496820984
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:4hZo3+Ma9e1JzNZNs4fneAEJ0o5H/PuRv:NaudsJ1u
                                                                                                                                                                                                          MD5:0AF948FE4142E34092F9DD47A4B8C275
                                                                                                                                                                                                          SHA1:B3D6DD5C126280398D9055F90E2C2C26DBAE4EAA
                                                                                                                                                                                                          SHA-256:C4C7C0DDAA6D6A3A1DC260E9C5A24BDFAA98C427C69E8A65427DD7CAC0A4B248
                                                                                                                                                                                                          SHA-512:D97B5FE2553CA78A3019D53E33D2DB80C9FA1CF1D8D2501D9DDF0576C7E6EA38DAB754FE4712123ABF34B97E10B18FB4BBD1C76D3DACB87B4682E501F93423D9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .x.6.4... .I.m.p.o.s.s.i.b.i.l.e. .e.s.e.g.u.i.r.e. .l.'.i.n.s.t.a.l.l.a.z.i.o.n.e. .s.u. .q.u.e.s.t.a. .p.i.a.t.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".I.l. .p.r.o.g.r.a.m.m.a. .d.i. .i.n.s.t.a.l.l.a.z.i.o.n.e. .r.i.c.h.i.e.d.e. .u.n.a. .p.i.a.t.t.a.f.o.r.m.a. .I.A.6.4... .I.m.p.o.s.s.i.b.i.l.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1040\SetupResources.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):18264
                                                                                                                                                                                                          Entropy (8bit):5.142702232041524
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:77n6Tg7AtONBKHno5hWXeWFLXci2jpvz2:7XAbs+ZMi2jpvz2
                                                                                                                                                                                                          MD5:E4860FC5D4C114D5C0781714F3BF041A
                                                                                                                                                                                                          SHA1:864CE88E8AB1DB9AFF6935F9231521B6B72D5974
                                                                                                                                                                                                          SHA-256:6B2D479D2D2B238EC1BA9D14F9A68DC552BC05DCBCC9007C7BB8BE66DEFC643B
                                                                                                                                                                                                          SHA-512:39B0A97C4E83D5CCA1CCCCE494831ADBC18DF1530C02E6A2C13DAE66150F66A7C987A26CECB5587EA71DD530C8BE1E46922FE8C65AE94145D90B0A057C06548D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......^.....@.......................................... ...)...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1040\eula.rtf

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):189369
                                                                                                                                                                                                          Entropy (8bit):4.993456059906976
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:8K91dpBgRJA8J/snalBEm0OgKXIJR10GZybh2C:8aK
                                                                                                                                                                                                          MD5:F1602100F6C135AB5D8026E9248BAF02
                                                                                                                                                                                                          SHA1:DEBE92E8761F5320352DCFFE844FB25A10E9EA14
                                                                                                                                                                                                          SHA-256:284A8BBA438DA22A1B4F497B0B4ED1D9886184859527B87FF7350C83F198AB2D
                                                                                                                                                                                                          SHA-512:2A0FBEF3114B54EDB400D913D317A5097801834BEE0FB536B0FF645DD1CA40A1451945AD563119A5BA80F26B51CDA8B23E93BE71D7C82723AFEDE3CBF1DA00C6
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ?????????????????????????????\'a1\'ec?};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fsw

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1041\LocalizedData.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (440), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):34318
                                                                                                                                                                                                          Entropy (8bit):4.3825885013202255
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:4OTOo45ZyAYcou3LDnmUjMFsrHZmxqJOXhNCGYHre3iR7v:4OTOoMhYcRaOXJ6koIv
                                                                                                                                                                                                          MD5:7FCFBC308B0C42DCBD8365BA62BADA05
                                                                                                                                                                                                          SHA1:18A0F0E89B36818C94DE0AD795CC593D0E3E29A9
                                                                                                                                                                                                          SHA-256:01E7D24DD8E00B5C333E96D1BB83813E02E96F89AAD0C2F28F84551D28ABBBE2
                                                                                                                                                                                                          SHA-512:CD6F912A037E86D9E1982C73F0F8B3C4D5A9A6B5B108A7B89A46E6691E430A7CB55718DE9A0C05650BB194C8D4A2E309AD6221D638CFCA8E16AA5920881BA649
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .x.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".S0n0.0.0.0.0.0.0 ..0.0.0.0.0o0 .I.A.6.4. ..0.0.0.0.0.0.0n0.0.0.[a.h0W0f0D0~0Y0.0S0.0o0S0n0.0.0.0.0.0.0.0.0k0o0.0.0.0.0.0.0g0M0~0[0.0.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1041\SetupResources.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):15704
                                                                                                                                                                                                          Entropy (8bit):5.929554826924656
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:Cg0rjUfwtW1+/FuZhS5CSJk/lhAW5kEW1QKPnEtObMacxc8hjeyveCXPX:5hC7mS53JkNSW5kEW1LXci2jpvJ
                                                                                                                                                                                                          MD5:278FD7595B580A016705D00BE363612F
                                                                                                                                                                                                          SHA1:89A299A9ABECB624C3606267371B7C07B74B3B26
                                                                                                                                                                                                          SHA-256:B3ECD3AEA74D0D97539C4971C69F87C4B5FE478FC42A4A31F7E1593D1EBA073F
                                                                                                                                                                                                          SHA-512:838D23D35D8D042A208E8FA88487CD1C72DA48F336157D03B9549DD55C75DA60A83F6DD2B3107EB3E5A24F3FAD70AE1629ACC563371711117C3C3E299B59D838
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!........."...............................................@............@.......................................... ..h............&..X............................................................................................text...G...........................@..@.rsrc.... ... ... ..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1041\eula.rtf

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):181054
                                                                                                                                                                                                          Entropy (8bit):4.962328655200384
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:7vykJ9MRJAwJjAXetBE1rRbe+KusGWqcJ2V:fJ
                                                                                                                                                                                                          MD5:89D66A0B94450729015D021BC8F859E9
                                                                                                                                                                                                          SHA1:C9AD4C7DCDAFEAD282DAA1C214E7A0EAB567FFD5
                                                                                                                                                                                                          SHA-256:6A1884515CC4378D732F681934658252A4B45D76CE7F53CF8650BE794CC8D390
                                                                                                                                                                                                          SHA-512:336A5B1CBF2F52DF5B151A564C8452826D253F9FC565C865D7BA37B91229996D9AE59603350BD5CD99352ED63D265D8578095560CB7DE67DA7E1AA2135FBF0FB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff38\deff0\stshfdbch13\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????????\'a8\'ac};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\f

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1042\LocalizedData.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (439), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):32962
                                                                                                                                                                                                          Entropy (8bit):4.366055142656104
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:4cdsW0fwUrh+UgYUDQhGAtPN/2JWCTJSIQvPaLWL2C4oH/Drv:4cdszvrBgYUDQhF5N7IJSIQvkQfLH/Pv
                                                                                                                                                                                                          MD5:71DFD70AE141F1D5C1366CB661B354B2
                                                                                                                                                                                                          SHA1:C4B22590E6F6DD5D39E5158B831AE217CE17A776
                                                                                                                                                                                                          SHA-256:CCCDA55294AEB4AF166A8C0449BCA2189DDF5AA9A43D5E939DD3803E61738331
                                                                                                                                                                                                          SHA-512:5000D62F3DE41C3FB0ED8A8E9C37DBF4EB427C4F1E3AD3823D4716C6FE62250BAC11B7987A302B8A45D91AABCF332457F7AFF7D99F15EDEFFE540639E9440E8A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .x.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. .$.X. ...\.....D. .....X.$.t. .I.A.6.4. ......t. .D..i..... .t. ......... .$.X.`. ... ........"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".t. ..... ........... .M.i.c.r.o.s.o.f.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1042\SetupResources.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):15192
                                                                                                                                                                                                          Entropy (8bit):5.9622226182057325
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:Hpix6f+jYxzekdPKNS0N7gVCAMWpCeWRQKPnEtObMacxc8hjeyveCXmo+:3ibMj0lgRMWpCeWRLXci2jpv8o+
                                                                                                                                                                                                          MD5:FCFD69EC15A6897A940B0435439BF5FC
                                                                                                                                                                                                          SHA1:6DE41CABDB45294819FC003560F9A2D1E3DB9A7B
                                                                                                                                                                                                          SHA-256:90F377815E3C81FC9AE5F5B277257B82811417CA3FFEACD73BAB530061B3BE45
                                                                                                                                                                                                          SHA-512:4DC3580B372CEE1F4C01569BAEA8CD0A92BC613648DB22FF1855920E47387A151964B295A1126597B44BB0C596E8757B1FCF47CDA010F9BBB15A88F97F41B8BF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!......... ...............................................@......v.....@.......................................... ...............$..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1042\eula.rtf

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):351492
                                                                                                                                                                                                          Entropy (8bit):4.844773730829239
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:bNK7z5n/OLs3+lAB4HeqyOOZjYCrv1MT2hhO0kN9okLgd80UKdF8K8Zb4ajD/y9m:bI79kaIDUhOhQAUiK/9/MjZr
                                                                                                                                                                                                          MD5:8203E9FC25A5720AFB8C43E8BE10C3B0
                                                                                                                                                                                                          SHA1:FC7D9B452B6D5475FD1EF61B78E8BC6E32F08974
                                                                                                                                                                                                          SHA-256:0EBD62213F41DFFA0BCD939BDC6ABC25096E95112C217FDF27CE661A19AD0866
                                                                                                                                                                                                          SHA-512:F95DCB9C25436AE322C240A0D0ABD9F4904A5AF313CAC5CB8C90C1A5460DAD8E983347AD7540C672046E4210945B053B75313BB6D10B44B2A0BF0024B400E81E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch12\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\*\panose 02030600000101010101}Batang{\*\falt \'b9\'d9\'c5\'c1};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????????\'a1\'a7};}{\f20\fbidi \froman\fcharset129\f

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1049\LocalizedData.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (634), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):40428
                                                                                                                                                                                                          Entropy (8bit):4.232828720335164
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:4q0oG/2VrQa0inweNLvSli+CJA3aJW5cGUT3CT+v:DVFJl
                                                                                                                                                                                                          MD5:0EEB554D0B9F9FCDB22401E2532E9CD0
                                                                                                                                                                                                          SHA1:08799520B72A1EF92AC5B94A33509D1EDDF6CAF8
                                                                                                                                                                                                          SHA-256:BEEF0631C17A4FB1FF0B625C50C6CB6C8CE90A1AE62C5E60E14BF3D915AD509C
                                                                                                                                                                                                          SHA-512:2180E46A5A2EA1F59C879B729806CA02A232C66660F29C338C1FA7FBEE2AFA4B13D8777D1F7B63CF831EB42F3E55282D70AA8E53F40616B8A6E4D695C36E313D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .x.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=."...;.O. .M.B.>.9. .?.@.>.3.@.0.<.<.K. .C.A.B.0.=.>.2.:.8. .B.@.5.1.C.5.B.A.O. .?.;.0.B.D.>.@.<.0. .I.A.6.4... ...5. .=.5.;.L.7.O. .C.A.B.0.=.>.2.8.B.L. .=.0. .4.0.=.=.C.N. .?.;.0.B.D.>.@.<.C.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1049\SetupResources.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):18264
                                                                                                                                                                                                          Entropy (8bit):5.548909804205606
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:eRBvnUfwVWBC623DV3SD1tt9WfXHT7nMsmxeW1QKPnEtObMacxc8hjeyveCXgFK1:e/C6+URiD1vwLoPeW1LXci2jpvaFHM
                                                                                                                                                                                                          MD5:7EF74AF6AB5760950A1D233C582099F1
                                                                                                                                                                                                          SHA1:BF79FF66346907446F4F95E1E785A03CA108EB5D
                                                                                                                                                                                                          SHA-256:658398F1B68D49ABD37FC3B438CD564992D4100ED2A0271CBF83173F33400928
                                                                                                                                                                                                          SHA-512:BBBB099AD24F41785706033962ACFC75039F583BEED40A7CDC8EDA366AB2C77F75A5B2792CF6AACB80B39B6B1BB84ECE372BE926FF3F51028FB404D2F6334D78
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........,...............................................P......O.....@.......................................... ...*...........0..X............................................................................................text...G...........................@..@.rsrc....0... ...*..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\1049\eula.rtf

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):213363
                                                                                                                                                                                                          Entropy (8bit):4.934134633374225
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:D/fSz7yMsMyN1FyRtXSWS3SoSalsySMDS7SmSJ8SUSPsBa5IqDSySipSAS6ASGS+:pG
                                                                                                                                                                                                          MD5:5B95EFBC01DC97EE9A6C6F64A49AA62D
                                                                                                                                                                                                          SHA1:A99C984A0D5E316FE60D588A3519F2D5C805C1DE
                                                                                                                                                                                                          SHA-256:0CFACFF2B63121AD1D71376E4A3799B93B7E6D278209FE4806CCA0F74830CFC1
                                                                                                                                                                                                          SHA-512:A0B19864E68945A74BCE24C8D5EB0050ABB66C6FF6A53D0482FFA70E93EEE2957608BB9BDE535718D56CD5D7509B4DD7A1786C99BC2120344293234B7A6C2A3B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f1\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}..{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}..{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ???????????????????????????????};}..{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}{\f38\fbidi \fswiss\fcharset0\fprq2{\*\p

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\2052\LocalizedData.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (390), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):31138
                                                                                                                                                                                                          Entropy (8bit):4.240036868712424
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:4Qn7cJwYTzOnyquEWTOAXUewfMcqQJywXk83GJPupIoxnb/2v:4Qn7cJxTC/uEWTfXUewiQJyoknJY9b+v
                                                                                                                                                                                                          MD5:52B1DC12CE4153AA759FB3BBE04D01FC
                                                                                                                                                                                                          SHA1:BF21F8591C473D1FCE68A9FAF1E5942F486F6EBA
                                                                                                                                                                                                          SHA-256:D1735C8CFD8E10BA019D70818C19FA865E7C72F30AB6421A3748408F85FB96C3
                                                                                                                                                                                                          SHA-512:418903AE9A7BAEBF73D055E4774FF1917FBAAB9EE7ED8C120C34BB10E7303F6DD7B7DAE701596D4626387A30AE1B4D329A9AF49B8718B360E2FF619C56C19623
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .x.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.[..z.^..Bl.O(u .I.A.6.4. .s^.S.0.N..(Wdks^.S.N.[.dk.z.^.0"./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.U.n.S.u.p.p.o.r.t.e.d.O.S.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".dk.d\O.|.~.N/e.c .M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e..0"./.>..... . . . . . .<.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\2052\SetupResources.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):14168
                                                                                                                                                                                                          Entropy (8bit):6.010838262457833
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:rsLnUfwVWtTXjuQShyjK7tWUEW5IQKPnEtObMacxc8hjeyveCXMOV:4eCTFhMKZWUEW5ILXci2jpvP
                                                                                                                                                                                                          MD5:407CDB7E1C2C862B486CDE45F863AE6E
                                                                                                                                                                                                          SHA1:308AEEBEB1E1663ACA26CE880191F936D0E4E683
                                                                                                                                                                                                          SHA-256:9DD9D76B4EF71188B09F3D074CD98B2DE6EA741530E4EA19D539AE3F870E8326
                                                                                                                                                                                                          SHA-512:7B4F43FC24EB30C234F2713C493B3C13928C591C77A3017E8DD806A41CCFEDD53B0F748B5072052F8F9AC43236E8320B19D708903E3F06C59C6ED3C12722494E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................@.......y....@.......................................... ............... ..X............................................................................................text...G...........................@..@.rsrc.... ... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\2052\eula.rtf

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):225202
                                                                                                                                                                                                          Entropy (8bit):4.985888615397263
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:0pvaMOA6EOEGJA7JDnbyiBTmAO3FQ31Rdz5Zq3Kho:6v+Ez0
                                                                                                                                                                                                          MD5:6E5BDDF58163B11C79577B35A87A4424
                                                                                                                                                                                                          SHA1:8AAA1008360F7B255A6A88AD02D3A00DEB8B0AE6
                                                                                                                                                                                                          SHA-256:D4A26E3756437CA8BA132AE3A73AA7A829478A847D6B9AB69A8090515CE9A60A
                                                                                                                                                                                                          SHA-512:21DD9D754C0A3A383F20259E87AA4769D6ECB36753039DCE8B644E16E0ABC3C94B4B850648E0369474C914655140E7F3CC3E808ED27E70892A863F61F8588C6E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch31505\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ??????????????????????????\'a1\'a7????};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\3082\LocalizedData.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (616), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):40912
                                                                                                                                                                                                          Entropy (8bit):3.5296334743141515
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:4fgA4Ukd+uYW1HCD1GO/tja2QDu7Jr++dP8z3AzOrv:tUZW1iDDdWCJi8Pg32Y
                                                                                                                                                                                                          MD5:5397A12D466D55D566B4209E0E4F92D3
                                                                                                                                                                                                          SHA1:FCFFD8961FB487995543FC173521FDF5DF6E243B
                                                                                                                                                                                                          SHA-256:F124D318138FF084B6484DEB354CCA0F72296E1341BF01169792B3E060C89E89
                                                                                                                                                                                                          SHA-512:7708F5A2AD3E4C90C4C216600435AF87A1557F60CAF880A3DD9B5F482E17399AF9F0B9DE03FF1DBDD210583E0FEC5B466E35794AC24D6D37F9BBC094E52FC77B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.".>..... . .<.L.o.c.a.l.i.z.e.d.D.a.t.a.>..... . . . .<.L.a.n.g.u.a.g.e.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.X.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .x.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.a.f.o.r.m.a..."./.>..... . . . . . .<.T.e.x.t. .I.D.=.".#.(.l.o.c...B.l.o.c.k.e.r._.I.A.6.4.).". .L.o.c.a.l.i.z.e.d.T.e.x.t.=.".E.s.t.e. .p.r.o.g.r.a.m.a. .d.e. .i.n.s.t.a.l.a.c.i...n. .r.e.q.u.i.e.r.e. .u.n.a. .p.l.a.t.a.f.o.r.m.a. .I.A.6.4... .N.o. .s.e. .p.u.e.d.e. .i.n.s.t.a.l.a.r. .e.n. .e.s.t.a. .p.l.a.t.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\3082\SetupResources.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):18776
                                                                                                                                                                                                          Entropy (8bit):5.182140892959793
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:ZikgnUfwVWVCe8b1S2U85ZTYG1lmW+eWaQKPnEtObMacxc8hjXHUz1TrOYL18:Zlv6Lbg2zZTf1lmW+eWaLXci2jXHUx8
                                                                                                                                                                                                          MD5:B057315A8C04DF29B7E4FD2B257B75F4
                                                                                                                                                                                                          SHA1:D674D066DF8D1041599FCBDB3BA113600C67AE93
                                                                                                                                                                                                          SHA-256:51B174AE7EE02D8E84C152D812E35F140A61814F3AECD64E0514C3950060E9FE
                                                                                                                                                                                                          SHA-512:F1CD510182DE7BBF8D45068D1B3F72DE58C7B419EFC9768765DF6C180AB3E2D94F3C058143095A66C05BCB70B589D1A5061E5FEE566282E5DB49FFBDEA3C672F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l..............{%......{".....Rich............................PE..L......K.........."!.........................................................P............@.......................................... .. *...........2..X............................................................................................text...G...........................@..@.rsrc....0... ...,..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\3082\eula.rtf

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):152458
                                                                                                                                                                                                          Entropy (8bit):5.013297113523102
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:4zkouwFDNSMUYugRJA8J/snalBEm0OgKXIJR10GZybh2U:4zDNIYt
                                                                                                                                                                                                          MD5:A920D4F55EAE5FEBAB1082AB2BCC2439
                                                                                                                                                                                                          SHA1:CBD631427871B620E9C95417788BFCDD1CD0A2A5
                                                                                                                                                                                                          SHA-256:2FFF2122C4D176E074365775227D4208AF48F2F921BE7623EDC315CD345ACF0B
                                                                                                                                                                                                          SHA-512:28135FBD9D940F0DEEC7A059AB2998B034575CC5D6DD31B1BE501B60689860478B0A0AB5183C69B2ACBBB9C1A074BBAA215960B3FACC6A9A3B0170E27E7B2B47
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff0\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1033\deflangfe1033\themelang1033\themelangfe2052\themelangcs1025{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt ?l?r ???fc};}..{\f2\fbidi \fmodern\fcharset0\fprq1{\*\panose 02070309020205020404}Courier New{\*\falt Arial};}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol{\*\falt Times};}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings{\*\falt Symbol};}{\f11\fbidi \fmodern\fcharset128\fprq1{\*\panose 02020609040205080304}MS Mincho{\*\falt ?l?r ??\'81\'66c};}..{\f13\fbidi \fnil\fcharset134\fprq2{\*\panose 02010600030101010101}SimSun{\*\falt ????????????????????????????\'a8\'ac??};}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math{\*\falt Calisto MT};}..{\f38\fbidi \fswiss\fcharset0\fprq2{\*\panose 020b0604030504040204}Tahoma{\*\falt ?? ??};}{\f39\fbidi \fsw

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\DHtmlHeader.html

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):16118
                                                                                                                                                                                                          Entropy (8bit):3.6434775915277604
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                                                                                                                                                                          MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                                                                                                                                                                          SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                                                                                                                                                                          SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                                                                                                                                                                          SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\DisplayIcon.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 13 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):88533
                                                                                                                                                                                                          Entropy (8bit):7.210526848639953
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:xWayqxMQP8ZOs0JOG58d8vo2zYOvvHAj/4/aXj/Nhhg73BVp5vEdb:e/gB4H8vo2no0/aX7C7Dct
                                                                                                                                                                                                          MD5:F9657D290048E169FFABBBB9C7412BE0
                                                                                                                                                                                                          SHA1:E45531D559C38825FBDE6F25A82A638184130754
                                                                                                                                                                                                          SHA-256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
                                                                                                                                                                                                          SHA-512:8B93E898148EB8A751BC5E4135EFB36E3AC65AF34EAAC4EA401F1236A2973F003F84B5CFD1BBEE5E43208491AA1B63C428B64E52F7591D79329B474361547268
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............(...............h...............h...f... .............. .............. ..........^...00......h....#..00..........n)..00...........8........ .h....T.. .... .....&Y..00.... ..%...i........ ._...v...(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l.............................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\Print.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1150
                                                                                                                                                                                                          Entropy (8bit):4.923507556620034
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:dOjNyw2aSGZHJi4U7Wf0mDX+QF7s/AemFAh:MjNyw/0NW9DOp/ANC
                                                                                                                                                                                                          MD5:7E55DDC6D611176E697D01C90A1212CF
                                                                                                                                                                                                          SHA1:E2620DA05B8E4E2360DA579A7BE32C1B225DEB1B
                                                                                                                                                                                                          SHA-256:FF542E32330B123486797B410621E19EAFB39DF3997E14701AFA4C22096520ED
                                                                                                                                                                                                          SHA-512:283D381AA396820B7E15768B20099D67688DA1F6315EC9F7938C2FCC3167777502CDED0D1BEDDF015A34CC4E5D045BCB665FFD28BA2FBB6FAF50FDD38B31D16E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............ .h.......(....... ..... .....@.........................................................................................t?.fR.|bN.y_K.v\H.rXD.oUA.kQ=.hN:.eK7.cI5.cI5.cI5i.........th<..z............................................cI5.cI5...................................................qXE.cI5.cI5.......~.............................................}eS.kR>.cI5......................................................q`.w^L.cI5..............................z..~n..sb..jX.{bP.t[H..~m..kY.nT@.......................................................{..wf.zaM.......vO.......................q..r`.}cQ.w]J..lZ.......t.x^J...........}Z..................................z`M........{aM...............0..............................jY.{aO...........................................................x^K.x^Kk.....................................................n\.y_L...........................r...............................y_L.x^K&.........................s.............

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\Rotate1.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):894
                                                                                                                                                                                                          Entropy (8bit):2.5118974066097444
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:kRKqNllGuv/ll2dL/rK//dlQt0tlWMlMN8Fq/wbD4tNZDlNc367YCm6p+Wvtjlpr:pIGOmDAQt8n+uNbctNZ5w6AsXjKHRp5c
                                                                                                                                                                                                          MD5:26A00597735C5F504CF8B3E7E9A7A4C1
                                                                                                                                                                                                          SHA1:D913CB26128D5CA1E1AC3DAB782DE363C9B89934
                                                                                                                                                                                                          SHA-256:37026C4EA2182D7908B3CF0CEF8A6F72BDDCA5F1CFBC702F35B569AD689CF0AF
                                                                                                                                                                                                          SHA-512:08CEFC5A2B625F261668F70CC9E1536DC4878D332792C751884526E49E7FEE1ECFA6FCCFDDF7BE80910393421CC088C0FD0B0C27C7A7EFF2AE03719E06022FDF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............h.......(....... .......................................................................................................................................................................................t.r........................................p.nn.l|.z..........................................g.e.......................................................................................P.N..........................................P.OG.FP.O..........................................?.>...................................................................................................+.*..........................................3.2%.$+.*..........................................!. ............{.{.............................................................................................~.~..................................G.......................................G..........

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\Rotate2.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):894
                                                                                                                                                                                                          Entropy (8bit):2.5178766234336925
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:pmZX5+9wQaxWbwW3h/7eHzemn0iLHRp5c:Md5EaxWbh/Cnt4
                                                                                                                                                                                                          MD5:8419CAA81F2377E09B7F2F6218E505AE
                                                                                                                                                                                                          SHA1:2CF5AD8C8DA4F1A38AAB433673F4DDDC7AE380E9
                                                                                                                                                                                                          SHA-256:DB89D8A45C369303C04988322B2774D2C7888DA5250B4DAB2846DEEF58A7DE22
                                                                                                                                                                                                          SHA-512:74E504D2C3A8E82925110B7CFB45FDE8A4E6DF53A188E47CF22D664CBB805EBA749D2DB23456FC43A86E57C810BC3D9166E7C72468FBD736DA6A776F8CA015D1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............h.......(....... ...............................................................................................................................................................................................................................................................................................................................................................................r.p..........................................q.oj.hq.o..........................................b.`...................................................................................................J.I..................|.|...y.y...............Q.PC.BF.E..........................................>.=.........".!..........................................2.1".!'.&..........................................".!.....................................G.......................................G..........

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\Rotate3.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):894
                                                                                                                                                                                                          Entropy (8bit):2.5189797450574103
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:pPrMIMxPWk3AyORrabBQ+gra2/MXWM4xfQHRp5c:1gxPbXlBQ+gr1ffO4
                                                                                                                                                                                                          MD5:924FD539523541D42DAD43290E6C0DB5
                                                                                                                                                                                                          SHA1:19A161531A2C9DBC443B0F41B97CBDE7375B8983
                                                                                                                                                                                                          SHA-256:02A7FE932029C6FA24D1C7CC06D08A27E84F43A0CBC47B7C43CAC59424B3D1F6
                                                                                                                                                                                                          SHA-512:86A4C5D981370EFA20183CC4A52C221467692E91539AC38C8DEF1CC200140F6F3D9412B6E62FAF08CA6668DF401D8B842C61B1F3C2A4C4570F3B2CEC79C9EE8B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............h.......(....... .................................................................................................................................................................................................................................................................................................................................................................................................................z.z...{.{...........................................................................................................................................................s.q..........................................y.wl.jl.j...............3.2#."*.)..................f.d.........E.D.........(.'..............................U.TE.DF.E..........................................E.D.....................................G.......................................G..........

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\Rotate4.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):894
                                                                                                                                                                                                          Entropy (8bit):2.5119705312617957
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:kRK///FleTxml+SzNaoT9Q0/lHOmMdrYln8OUo/XRWl2XOXFBYpqnHp/p5c:p///FPwxUrMunUofRReFNHRp5c
                                                                                                                                                                                                          MD5:BB55B5086A9DA3097FB216C065D15709
                                                                                                                                                                                                          SHA1:1206C708BD08231961F17DA3D604A8956ADDCCFE
                                                                                                                                                                                                          SHA-256:8D82FF7970C9A67DA8134686560FE3A6C986A160CED9D1CC1392F2BA75C698AB
                                                                                                                                                                                                          SHA-512:DE9226064680DA6696976A4A320E08C41F73D127FBB81BF142048996DF6206DDB1C2FE347C483CC8E0E50A00DAB33DB9261D03F1CD7CA757F5CA7BB84865FCA9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............h.......(....... .............................................................................................................................................................................................................y.y...|.|.............................................................................................................................................................................................................................................,.+".!,.+.........................................(.'......................................................................................=.<..........................................S.RC.BG.F.............................j.h.........H.G..............................y.wj.hi.g..........................................j.h.....................................G.......................................G..........

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\Rotate5.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):894
                                                                                                                                                                                                          Entropy (8bit):2.5083713071878764
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:kRKi+Blqkl/QThulVDYa5a//ItEl/aotzauakg//5aM1lkl05Kaag2/JqnHp/p5c:pXBHehqSayIylrtBg/bk4AgzHRp5c
                                                                                                                                                                                                          MD5:3B4861F93B465D724C60670B64FCCFCF
                                                                                                                                                                                                          SHA1:C672D63C62E00E24FBB40DA96A0CC45B7C5EF7F0
                                                                                                                                                                                                          SHA-256:7237051D9AF5DB972A1FECF0B35CD8E9021471740782B0DBF60D3801DC9F5F75
                                                                                                                                                                                                          SHA-512:2E798B0C9E80F639571525F39C2F50838D5244EEDA29B18A1FAE6C15D939D5C8CD29F6785D234B54BDA843A645D1A95C7339707991A81946B51F7E8D5ED40D2C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............h.......(....... .................................................................................................{.{...~.~.......................................................................................}.}.........................................................).(#."2.1..........................................).(...................................................................................................=.<..........................................N.ME.DN.M..........................................M.L.......................................................................................e.c..........................................z.xl.jm.k........................................r.p........................................................................................................................G.......................................G..........

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\Rotate6.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):894
                                                                                                                                                                                                          Entropy (8bit):2.5043420982993396
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:pjs+/hlRwx5REHevtOkslTaGWOpRFkpRHkCHRp5c:tZ/u+HeilBh/F+Rd4
                                                                                                                                                                                                          MD5:70006BF18A39D258012875AEFB92A3D1
                                                                                                                                                                                                          SHA1:B47788F3F8C5C305982EB1D0E91C675EE02C7BEB
                                                                                                                                                                                                          SHA-256:19ABCEDF93D790E19FB3379CB3B46371D3CBFF48FE7E63F4FDCC2AC23A9943E4
                                                                                                                                                                                                          SHA-512:97FDBDD6EFADBFB08161D8546299952470228A042BD2090CD49896BC31CCB7C73DAB8F9DE50CDAF6459F7F5C14206AF7B90016DEEB1220943D61C7324541FE2C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............h.......(....... .................................................................................................... ............................................$.$ ..0./...........................{.{............ ...........<.;..........................................C.BA.@O.N...............{.{...~.~..................G.F..................................................................................................._.]..........................................n.lg.en.l..........................................p.n...............................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\Rotate7.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):894
                                                                                                                                                                                                          Entropy (8bit):2.4948009720290445
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:kRKIekllisUriJ2IP+eX8iDml8mS8+hlxllwqlllkg2klHYdpqnHp/p5c:p8os0iieX8iNVHX//x2sHYdoHRp5c
                                                                                                                                                                                                          MD5:FB4DFEBE83F554FAF1A5CEC033A804D9
                                                                                                                                                                                                          SHA1:6C9E509A5D1D1B8D495BBC8F57387E1E7E193333
                                                                                                                                                                                                          SHA-256:4F46A9896DE23A92D2B5F963BCFB3237C3E85DA05B8F7660641B3D1D5AFAAE6F
                                                                                                                                                                                                          SHA-512:3CAEB21177685B9054B64DEC997371C4193458FF8607BCE67E4FBE72C4AF0E6808D344DD0D59D3D0F5CE00E4C2B8A4FFCA0F7D9352B0014B9259D76D7F03D404
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............h.......(....... ....................................................................................................G.F..........................................H.GG.FX.V..............................).(.........G.F.........i.g..................+.*%.$5.4...............n.ln.l{.y.................. .......................u.s............................................................................................................................................................~.~...~.~.................................................................................................................................................................................................................................................................................................................................................G.......................................G..........

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\Rotate8.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):894
                                                                                                                                                                                                          Entropy (8bit):2.513882730304912
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:pPv1OuTerb53mpOBfXjQuZfKWpIXE1D6HRp5c:91OEerb53eUQsflpIP4
                                                                                                                                                                                                          MD5:D1C53003264DCE4EFFAF462C807E2D96
                                                                                                                                                                                                          SHA1:92562AD5876A5D0CB35E2D6736B635CB5F5A91D9
                                                                                                                                                                                                          SHA-256:5FB03593071A99C7B3803FE8424520B8B548B031D02F2A86E8F5412AC519723C
                                                                                                                                                                                                          SHA-512:C34F8C05A50DC0DE644D1F9D97696CDB0A1961C7C7E412EB3DF2FD57BBD34199CF802962CA6A4B5445A317D9C7875E86E8E62F6C1DF8CC3415AFC0BD26E285BD
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............h.......(....... ....................................................................................................g.e..........................................g.eg.ew.u..............................F.E.........g.e..............................E.DA.@P.O..........................................:.9......................................................................................&.%.........................................+.* ..+.*..................................................................................................................................................{.{.......................................................................................~.~...{.{..............................................................................................................................................G.......................................G..........

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\Save.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1150
                                                                                                                                                                                                          Entropy (8bit):4.824239610266714
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:Br5ckw0Pce/WPv42lPpJ2/BatY9Y4ollEKeKzn:h6kPccWPQS2UtEYFEKeu
                                                                                                                                                                                                          MD5:7D62E82D960A938C98DA02B1D5201BD5
                                                                                                                                                                                                          SHA1:194E96B0440BF8631887E5E9D3CC485F8E90FBF5
                                                                                                                                                                                                          SHA-256:AE041C8764F56FD89277B34982145D16FC59A4754D261C861B19371C3271C6E5
                                                                                                                                                                                                          SHA-512:AB06B2605F0C1F6B71EF69563C0C977D06C6EA84D58EF7F2BAECBA566D6037D1458C2B58E6BFD70DDEF47DCCBDEA6D9C2F2E46DEA67EA9E92457F754D7042F67
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............ .h.......(....... ..... .....@........................................................................................klT.de..UV..RS..OP..MM..JJ..GG..DD..AA.x;<.x;<.r99.n67..........kl......D$.G2!...............VMH..>3..=6..91.r99..........op.........q[K.G<4..xh...........s..A5..B<..=5.x;<..........uv...........q[K.....G<4..........tg..KC..ID..B<.}>>..........{|.............q[K.q[K.q[K.q[K.vbR.}j[..VT..OL..ID..AA...............................yz..qr..kl..]\..VT..PL..DD.....................c`..^V..XK..R?..M4..G(..A...;...]\..VT..GG................fg.................................;...]\..JJ................mn..................................A...gg..MM................vw..................................G(..qr..OP..................................................M4..yz..RS..................................................R?.g33..UV....................................................XK..XY..XY..................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\Setup.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 12 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):36710
                                                                                                                                                                                                          Entropy (8bit):5.3785085024370805
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:IXcWz9GU46B4riEzg8CKcqxkk63gBh6wSphnBcI/ObMFp2rOebgcjTQcho:IMWQ2Bf8qqxMQP8pc4XessTJo
                                                                                                                                                                                                          MD5:3D25D679E0FF0B8C94273DCD8B07049D
                                                                                                                                                                                                          SHA1:A517FC5E96BC68A02A44093673EE7E076AD57308
                                                                                                                                                                                                          SHA-256:288E9AD8F0201E45BC187839F15ACA79D6B9F76A7D3C9274C80F5D4A4C219C0F
                                                                                                                                                                                                          SHA-512:3BDE668004CA7E28390862D0AE9903C756C16255BDBB3F7E73A5B093CE6A57A3165D6797B0A643B254493149231ACA7F7F03E0AF15A0CBE28AFF02F0071EC255
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............(...............h...............h...V... .............. .............. ..........N...00......h...."..00..........^)..00...........8........ .h....T.. .... ......Y..00.... ..%...i..(....... ....................................................................................................w......x......................x..ww...........h...............................w.....w.x..........x................xwvwg.................................................................(....... ...................................jO:.mS?.qWD.v\I.|cP..kX..q_..sa..yg..{j...p..nh..pj..uo..|u..xq..|r..|u..rx..zy..|w.}.y...q...d...y...{......S...]..d..i..r..|...j..j...y...e...k...l..q...y...~...v...y..s..s..m...m...l...n...k...t...l..........................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\SysReqMet.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1150
                                                                                                                                                                                                          Entropy (8bit):5.038533294442847
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:MuoBP5lj49s9NRDe4LakKcTM8cv99uGzMN:MlFH3/Ri4LaN3q
                                                                                                                                                                                                          MD5:661CBD315E9B23BA1CA19EDAB978F478
                                                                                                                                                                                                          SHA1:605685C25D486C89F872296583E1DC2F20465A2B
                                                                                                                                                                                                          SHA-256:8BFC77C6D0F27F3D0625A884E0714698ACC0094A92ADCB6DE46990735AE8F14D
                                                                                                                                                                                                          SHA-512:802CC019F07FD3B78FCEFDC8404B3BEB5D17BFC31BDED90D42325A138762CC9F9EBFD1B170EC4BBCCCF9B99773BD6C8916F2C799C54B22FF6D5EDD9F388A67C6
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............ .h.......(....... ..... .....@..........................................M...........S...........................................q.......................z...................................;........q.c.P.K.|.}............C....................................;.!......................................................Ry,.*w..!.............-.........................................6b..8v................ .+.@............#....................4u..;a..............H.<.........=.C.............................&y..x.e.................$}......................................<.).........\.A............}..................................[.R.}.n.Z.C.y.Y.k.L............. q..............................t.s............r...k.........]{G..............................................y.`.z.h.a.N.e.P...............................................~.q._.J...............................8....................t.p..................?..................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\SysReqNotMet.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1150
                                                                                                                                                                                                          Entropy (8bit):5.854644771288791
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:u2iVNINssNQhYMEyfCHWZZ7rTRrbWjcyuE:uDW871fdZ1lbWjME
                                                                                                                                                                                                          MD5:EE2C05CC9D14C29F586D40EB90C610A9
                                                                                                                                                                                                          SHA1:E571D82E81BD61B8FE4C9ECD08869A07918AC00B
                                                                                                                                                                                                          SHA-256:3C9C71950857DDB82BAAB83ED70C496DEE8F20F3BC3216583DC1DDDA68AEFC73
                                                                                                                                                                                                          SHA-512:0F38FE9C97F2518186D5147D2C4A786B352FCECA234410A94CC9D120974FC4BE873E39956E10374DA6E8E546AEA5689E7FA0BEED025687547C430E6CEFFABFFB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............ .h.......(....... ..... .....@....................................../..F..........!....n....d..................................;.............,+..AB..UV..XZ...1.....S......................U.....................EE..\[..rr......NP.....^..............<s.....................!.$)..AC..jj..ww..{{..57.....4........01.................H..........N?8;..[[..ba..`_..TU....L.......bj]^..QP.........:..........)N#&..>=..GG..HI..IJ..EE..!#......24..mm..hh..,.............+N........)(..*-.....{-...-,........ SPS..zy..qr....qq......0NCE..33..%%........ZJ...."$..0/../1....?qRU............W}..)A]^..rr..qq..Y[...._z........CE..RQ..AC....8`79.........SU..ab......||..ef....ey...........QZ[..ZZ..=?.....(...d....................pr.....H............IK..jj..fg..*,..........]_..................[y.......(..:VQS..{z..ut..ab....'H...........?................||..ef..jk..................$%d....................W....................................*,n.............................HI......................WY

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\stop.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):10134
                                                                                                                                                                                                          Entropy (8bit):6.016582854640062
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:uC1kqWje1S/f1AXa0w+2ZM4xD02EuZkULqcA0zjrpthQ2Ngms9+LmODclhpjdfLt:JkqAFqroMS9lD9Ngr9+m7bxpXHT5ToYR
                                                                                                                                                                                                          MD5:5DFA8D3ABCF4962D9EC41CFC7C0F75E3
                                                                                                                                                                                                          SHA1:4196B0878C6C66B6FA260AB765A0E79F7AEC0D24
                                                                                                                                                                                                          SHA-256:B499E1B21091B539D4906E45B6FDF490D5445256B72871AECE2F5B2562C11793
                                                                                                                                                                                                          SHA-512:69A13D4348384F134BA93C9A846C6760B342E3A7A2E9DF9C7062088105AC0B77B8A524F179EFB1724C0CE168E01BA8BB46F2D6FAE39CABE32CAB9A34FC293E4A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@......................................................................................................wwx...........w....w.........x....x.........x.y.......................p..............x.........q.......p.........q.................xy...........q.......................p.............y..................x.y..............y.y.............yyy.........S........x..........yy.............x.yyyx......................Q.8.........x..............y....qy.p...y.....x.....p........y....9.....y....yy..yx.......y..yyyw..p.....y.yyyyy................x.p........y.yy..........x...x............x.................wwx.....................?...................................................................................................?............(....... ..................................................................................................ww.....w..........xx..x........x....p........xy

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Graphics\warn.ico

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:MS Windows icon resource - 6 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):10134
                                                                                                                                                                                                          Entropy (8bit):4.3821301214809045
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:USAk9ODMuYKFfmiMyT4dvsZQl+g8DnPUmXtDV3EgTtc:r9wM7pyEBlcgssmXpVUgJc
                                                                                                                                                                                                          MD5:B2B1D79591FCA103959806A4BF27D036
                                                                                                                                                                                                          SHA1:481FD13A0B58299C41B3E705CB085C533038CAF5
                                                                                                                                                                                                          SHA-256:FE4D06C318701BF0842D4B87D1BAD284C553BAF7A40987A7451338099D840A11
                                                                                                                                                                                                          SHA-512:5FE232415A39E0055ABB5250B120CCDCD565AB102AA602A3083D4A4705AC6775D45E1EF0C2B787B3252232E9D4673FC3A77AAB19EC79A3FF8B13C4D7094530D2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@................................................................................................................................................................wwwww.....wwww...................3333333333338...{....3s.....x...{....0G;.............0.;...7.........33....8.....{...33..............0....7...............8.......{....;.............0.;.............0...8...........4...............wu;.............ww;.............ww;?...........;ww;.............7w................................8.............{...................................................................................................................................................................?...?..................................................?...?.........(....... ........................................................................................................333333;...............8.........;........

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\ParameterInfo.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (314), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):8968
                                                                                                                                                                                                          Entropy (8bit):3.5907064103424333
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:gCwdBdVv3CL021BqG2ahBCw2G2X2BCEj2G2KQ6G2nCw+KFl:kRPGiGPKGPGYCrKFl
                                                                                                                                                                                                          MD5:66590F13F4C9BA563A9180BDF25A5B80
                                                                                                                                                                                                          SHA1:D6D9146FAEEC7824B8A09DD6978E5921CC151906
                                                                                                                                                                                                          SHA-256:BF787B8C697CE418F9D4C07260F56D1145CA70DB1CC4B1321D37840837621E8F
                                                                                                                                                                                                          SHA-512:ABA67C66C2F3D9B3C9D71D64511895F15F696BE8BE0EEDD2D6908E1203C4B0CF318B366F9F3CD9C3B3B8C0770462F83E6EEA73E304C43F88D0CBEDF69E7C92B3
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .x.m.l.n.s.:.i.r.o.n.m.a.n.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p./.2.0.0.8./.0.1./.i.m.". .S.e.t.u.p.V.e.r.s.i.o.n.=.".1...0.".>..... . .<.U.I. .D.l.l.=.".S.e.t.u.p.U.i...d.l.l.". .N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.0. . .x.8.6. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .S.e.t.u.p.". .V.e.r.s.i.o.n.=.".1.0...0...3.0.3.1.9.". ./.>..... . .<.C.o.n.f.i.g.u.r.a.t.i.o.n.>..... . . . .<.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . . . .<.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h. .N.a.m.e.=.".c.r.e.a.t.e.l.a.y.o.u.t.". ./.>..... . . . .<./.D.i.s.a.b.l.e.d.C.o.m.m.a.n.d.L.i.n.e.S.w.i.t.c.h.e.s.>..... . . . .<.U.s.e.r.E.x.p.e.r.i.e.n.c.e.D.a.t.a.C.o.l.l.e.c.t.i.o.n. .P.o.l.i.c.y.=.".U.s.e.r.C.o.n.t.r.o.l.l.e.d.". ./.>..... . . . .

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Setup.exe

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):78152
                                                                                                                                                                                                          Entropy (8bit):6.011592088917562
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:sYNItbBL5NWiiESc0exWZnqxMQP8ZOs0JD9rHUq:sYNAB9NWTZctc/gBJ9oq
                                                                                                                                                                                                          MD5:006F8A615020A4A17F5E63801485DF46
                                                                                                                                                                                                          SHA1:78C82A80EBF9C8BF0C996DD8BC26087679F77FEA
                                                                                                                                                                                                          SHA-256:D273460AA4D42F0B5764383E2AB852AB9AF6FECB3ED866F1783869F2F155D8BE
                                                                                                                                                                                                          SHA-512:C603ED6F3611EB7049A43A190ED223445A9F7BD5651100A825917198B50C70011E950FA968D3019439AFA0A416752517B1C181EE9445E02DA3904F4E4B73CE76
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.................j.}.....].v.....h.w.....\.H...v.e.|.......B.....h.~.....Y.|.....].~.....m.~.....l.~.....k.~...Rich............PE..L......K.........."......f...........+............@..........................P............@...... ..................pu..x...Tp..<.......................H....@...... ................................(..@............................................text....e.......f.................. ..`.data................j..............@....rsrc................v..............@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\SetupEngine.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):807256
                                                                                                                                                                                                          Entropy (8bit):6.357664904941565
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24576:GS62nlYAqK/AitUgiuVQk/oifPNJIkjbSTzR8NmsBJj:GS62nlYAltBjPNJIkHST18QsBJ
                                                                                                                                                                                                          MD5:84C1DAF5F30FF99895ECAB3A55354BCF
                                                                                                                                                                                                          SHA1:7E25BA36BCC7DEED89F3C9568016DDB3156C9C5A
                                                                                                                                                                                                          SHA-256:7A0D281FA802D615EA1207BD2E9EBB98F3B74F9833BBA3CB964BA7C7E0FB67FD
                                                                                                                                                                                                          SHA-512:E4FB7E4D39F094463FDCDC4895AB2EA500EB51A32B6909CEC80A526BBF34D5C0EB98F47EE256C0F0865BF3169374937F047BF5C4D6762779C8CA3332B4103BE3
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................&......&.......R.....z.....O.....{......B...........O.....~.....J.....K.....L....Rich...........................PE..L......K.........."!................Y...............................................;.....@.....................................h....................:..X...............................................@............................................text............................... ..`.data...8...........................@....rsrc................f..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\SetupUi.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):295248
                                                                                                                                                                                                          Entropy (8bit):6.262127887617593
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:/LTVUK59JN+C0iy4Ww8oBcPFIOrvHvr8QDZHAAKWiIHT6llN1QkvQZaiionv5y/y:HOoMFrz8ygAKWiiIyKf73w
                                                                                                                                                                                                          MD5:EB881E3DDDC84B20BD92ABCEC444455F
                                                                                                                                                                                                          SHA1:E2C32B1C86D4F70E39DE65E9EBC4F361B24FF4A1
                                                                                                                                                                                                          SHA-256:11565D97287C01D22AD2E46C78D8A822FA3E6524561D4C02DFC87E8D346C44E7
                                                                                                                                                                                                          SHA-512:5750CEC73B36A3F19BFB055F880F3B6498A7AE589017333F6272D26F1C72C6F475A3308826268A098372BBB096B43FBD1E06E93EECC0A81046668228BC179A75
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..bI...I..WI...I..cI..I..ZI...I...IG..I..WI...I..fI...I..RI...I..SI...I..TI...IRich...I................PE..L......K.........."!................................................................yq....@..........................................P...............j..P....`..0?..................................`z..@............................................text............................... ..`.data....Q.......4..................@....rsrc........P......................@..@.reloc...T...`...V..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\SetupUi.xsd

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):30120
                                                                                                                                                                                                          Entropy (8bit):4.990211039591874
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:hlzLm8eYhsPs05F8/ET/chT+cxcW8G2P4oeTMC:1wchT+cxcDm
                                                                                                                                                                                                          MD5:2FADD9E618EFF8175F2A6E8B95C0CACC
                                                                                                                                                                                                          SHA1:9AB1710A217D15B192188B19467932D947B0A4F8
                                                                                                                                                                                                          SHA-256:222211E8F512EDF97D78BC93E1F271C922D5E91FA899E092B4A096776A704093
                                                                                                                                                                                                          SHA-512:A3A934A8572FF9208D38CF381649BD83DE227C44B735489FD2A9DC5A636EAD9BB62459C9460EE53F61F0587A494877CD3A3C2611997BE563F3137F8236FFC4CA
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema".. xmlns="http://schemas.microsoft.com/SetupUI/2008/01/imui".. xmlns:imui="http://schemas.microsoft.com/SetupUI/2008/01/imui".. targetNamespace="http://schemas.microsoft.com/SetupUI/2008/01/imui".. elementFormDefault="qualified"..attributeFormDefault="unqualified"..>.... <xs:annotation>.. <xs:documentation>.. Copyright (c) Microsoft Corporation. All rights reserved... Schema for describing DevDiv "Setup UI Info".. </xs:documentation>.. </xs:annotation>.... <xs:element name="SetupUI">.. <xs:annotation>.. <xs:documentation>specifies UI dll, and lists of MSIs MSPs and EXEs</xs:documentation>.. </xs:annotation>.. <xs:complexType>.. <xs:sequence>.. <xs:choice>.. <xs:element ref="UI" minOccurs="1" maxOccurs="1"></xs:element>.. <xs:element ref="Strings" minOccurs="1" maxOccurs="1"></xs:element>..

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\SplashScreen.bmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PC bitmap, Windows 3.x format, 200 x 200 x 8, image size 40000, resolution 3779 x 3779 px/m, cbSize 41078, bits offset 1078
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):41078
                                                                                                                                                                                                          Entropy (8bit):0.3169962482036715
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:SgrNa0EfB4elU+jB+rQXJH4+Cs77hIfVHCv4ToqIzgPc8wcKHL+3:3pa0e4YjB5vAHk4E7zgPcDc53
                                                                                                                                                                                                          MD5:43B254D97B4FB6F9974AD3F935762C55
                                                                                                                                                                                                          SHA1:F94D150C94064893DAED0E5BBD348998CA9D4E62
                                                                                                                                                                                                          SHA-256:91A21EBA9F5E1674919EE3B36EFA99714CFB919491423D888CB56C0F25845969
                                                                                                                                                                                                          SHA-512:46527C88F0AED25D89833B9BE280F5E25FFCEAE6BC0653054C8B6D8EBE34EBA58818A0A02A72BD29279310186AC26D522BBF34191FBDE279A269FC9DA5840ACC
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMv.......6...(...................@.......................{7...>...h?..D...N...K..........xE..._#..q..T...X...Q...[..._...c...j....>.!....f...v...r...."..v....0....... ..........4..I.........[...}..............j.............................................................................................................i......................@>1.......................................................o...u...u...z...z...~............................................................................................................................................................................{...~.................................................................................................................yw`......................................................................................................................................................//'...........................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\Strings.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):14246
                                                                                                                                                                                                          Entropy (8bit):3.70170676934679
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:VAZo71GHY3vqaqMnYfHHVXIHjfBHwnwXCa+F:VAB
                                                                                                                                                                                                          MD5:332ADF643747297B9BFA9527EAEFE084
                                                                                                                                                                                                          SHA1:670F933D778ECA39938A515A39106551185205E9
                                                                                                                                                                                                          SHA-256:E49545FEEAE22198728AD04236E31E02035AF7CC4D68E10CBECFFD08669CBECA
                                                                                                                                                                                                          SHA-512:BEA95CE35C4C37B4B2E36CC1E81FC297CC4A8E17B93F10423A02B015DDB593064541B5EB7003560FBEEE512ED52869A113A6FB439C1133AF01F884A0DB0344B0
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". ..... . . . . . . . . .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.S.t.r.i.n.g.s.>..... . . . .<.!.-.-. .R.e.f.l.e.c.t.i.v.e. .p.r.o.p.e.r.t.y. .p.a.g.e. .-.-.>..... . . . .<.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>.#.(.l.o.c...i.d.s._.c.a.p.t.i.o.n._.f.o.r.m.a.t._.1.s.).<./.I.D.S._.C.A.P.T.I.O.N._.F.O.R.M.A.T._.1.S.>..... . . . .<.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>.#.(.l.o.c...i.d.s._.i.s._.r.e.a.l.l.y._.c.a.n.c.e.l.).<./.I.D.S._.I.S._.R.E.A.L.L.Y._.C.A.N.C.E.L.>......... . . . .<.!.-.-. .S.y.s.t.e.m. .R.e.q.u.i.r.e.m.e.n.t.s. .p.a.g.e. .-.-.>..... . . . .<.S.Y.S.R.E.Q.P.A.G.E._.R.E.Q.U.I.R.E.D._.A.N.D._.A.V.A.I.L.A.B.L.E._.D.I.S.K._.S.P.A.C.E.>.#.(.l.o.c...s.y.s.r.e.q.

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\UiInfo.xml

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):36342
                                                                                                                                                                                                          Entropy (8bit):3.0937266645670003
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:S4UR0d5v0SguJQvFQXvDINJh6Fmhvk71sO0Nep3UL9Eu+dOtOcOdOjT5fuPkfuS:S4UR0d5v0QYQLIN/6Fmhvk71sO0Nep3q
                                                                                                                                                                                                          MD5:812F8D2E53F076366FA3A214BB4CF558
                                                                                                                                                                                                          SHA1:35AE734CFB99BB139906B5F4E8EFBF950762F6F0
                                                                                                                                                                                                          SHA-256:0D36A884A8381778BEA71F5F9F0FC60CACADEBD3F814679CB13414B8E7DBC283
                                                                                                                                                                                                          SHA-512:1DCC3EF8C390CA49FBCD50C02ACCD8CC5700DB3594428E2129F79FEB81E4CBBEEF1B4A10628B2CD66EDF31A69ED39CA2F4E252AD8AA13D2F793FCA5B9A1EAF23
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.S.e.t.u.p.U.I. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .x.m.l.n.s.:.i.m.u.i.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.S.e.t.u.p.U.I./.2.0.0.8./.0.1./.i.m.u.i.". .>..... . .<.U.I.>......... . . . .<.R.e.s.o.u.r.c.e.D.l.l.>.S.e.t.u.p.R.e.s.o.u.r.c.e.s...d.l.l.<./.R.e.s.o.u.r.c.e.D.l.l.>..... . . . .<.S.p.l.a.s.h.S.c.r.e.e.n.>..... . . . . . .<.H.i.d.e./.>..... . . . .<./.S.p.l.a.s.h.S.c.r.e.e.n.>......... . . . .<.L.C.I.D.H.i.n.t.s.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . . . . .<.R.e.g.K.e.y.>.H.K.C.U.\.S.o.f.t.w.a.r.e.\.M.i.c.r.o.s.o.f.t.\.V.i.s.u.a.l.S.t.u.d.i.o.\.9...0.\.G.e.n.e.r.a.l.<./.R.e.g.K.e.y.>..... . . . . . . . .<.R.e.g.V.a.l.u.e.N.a.m.e.>.U.I.L.a.n.g.u.a.g.e._.f.a.k.e.<./.R.e.g.V.a.l.u.e.N.a.m.e.>..... . . . . . .<./.L.C.I.D.H.i.n.t.>..... . . . . . .<.L.C.I.D.H.i.n.t.>..... . . . . .

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\header.bmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PC bitmap, Windows 3.x format, 49 x 49 x 24, image size 7254, resolution 2834 x 2834 px/m, cbSize 7308, bits offset 54
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):7308
                                                                                                                                                                                                          Entropy (8bit):3.7864255453272464
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:9L9GXidTgX2bqxIS0SRosEYYgJSIf4pKTg7pDdEAeObh8EWu:R/Y2bq10Q/EY1sK8M4bb
                                                                                                                                                                                                          MD5:3AD1A8C3B96993BCDF45244BE2C00EEF
                                                                                                                                                                                                          SHA1:308F98E199F74A43D325115A8E7072D5F2C6202D
                                                                                                                                                                                                          SHA-256:133B86A4F1C67A159167489FDAEAB765BFA1050C23A7AE6D5C517188FB45F94A
                                                                                                                                                                                                          SHA-512:133442C4A65269F817675ADF01ADCF622E509AA7EC7583BCA8CD9A7EB6018D2AAB56066054F75657038EFB947CD3B3E5DC4FE7F0863C8B3B1770A8FA4FE2E658
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BM........6...(...1...1...........V.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\sqmapi.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):144416
                                                                                                                                                                                                          Entropy (8bit):6.7404750879679485
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:uochw/MFWrJjKOMxRSepuBaqn/NlnBh2Lx0JVzx1wWobn1ek8F7HncO5hK9YSHlN:zDFB47UhXBh2yJ5HcOSSSHZqG
                                                                                                                                                                                                          MD5:3F0363B40376047EFF6A9B97D633B750
                                                                                                                                                                                                          SHA1:4EAF6650ECA5CE931EE771181B04263C536A948B
                                                                                                                                                                                                          SHA-256:BD6395A58F55A8B1F4063E813CE7438F695B9B086BB965D8AC44E7A97D35A93C
                                                                                                                                                                                                          SHA-512:537BE86E2F171E0B2B9F462AC7F62C4342BEB5D00B68451228F28677D26A525014758672466AD15ED1FD073BE38142DAE478DF67718908EAE9E6266359E1F9E8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................................................................Rich...................PE..L....IE...........!.........$.....................l.........................@......R.....@.........................D.......$...d....................... (... ......P...8............................\..@.......t.......D............................text............................... ..`.data...............................@....rsrc...............................@..@.reloc....... ......................@..Ba.IE8....IEC....IEP....IEZ.....IEe....IEP...........msvcrt.dll.ADVAPI32.dll.ntdll.DLL.USER32.dll.KERNEL32.dll...............................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\vc_red.cab

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Microsoft Cabinet archive data, 4186145 bytes, 19 files, at 0x44 +A "F_CENTRAL_atl100_x86" +A "F_CENTRAL_mfc100_x86", flags 0x4, number 1, extra bytes 20 in head, 354 datablocks, 0x1503 compression
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):4192089
                                                                                                                                                                                                          Entropy (8bit):7.999755784501758
                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                          SSDEEP:98304:YHgT57PlfosWFk9TRxWCP/kbNfS2g92D7epPC1txsBDDfifN7wVH:YHmPxFik99xlnANfcM3YDIN7YH
                                                                                                                                                                                                          MD5:6C59FECF51931FB4540E571AE0310098
                                                                                                                                                                                                          SHA1:DB5B0E9F7D20D2B1CCD61320ECCA7A60E118619B
                                                                                                                                                                                                          SHA-256:08E4D5BAD48C0203FDF02FDC28794F820DFB1D4480BDCAC562E7BC6E15FFAAD3
                                                                                                                                                                                                          SHA-512:D9CC7C6EF54105C981AACAAFDE890019AF766B53417E765FA7636C3B8A4400CE6F987CCEF1A54B4521412A8E45C011476C065CEBC892688AEED1B027E3E761BA
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MSCF....!.?.....D...........................!.?.8...........Y...b...H.........r<.I .F_CENTRAL_atl100_x86.HAB.H.....r<.I .F_CENTRAL_mfc100_x86.P....\D...r<.I .F_CENTRAL_mfc100chs_x86.P.....D...r<.I .F_CENTRAL_mfc100cht_x86.P...0wE...r<.I .F_CENTRAL_mfc100deu_x86.P....rF...r<.I .F_CENTRAL_mfc100enu_x86.P....IG...r<.I .F_CENTRAL_mfc100esn_x86.P... CH...r<.I .F_CENTRAL_mfc100fra_x86.P...p>I...r<.I .F_CENTRAL_mfc100ita_x86.P....1J...r<.I .F_CENTRAL_mfc100jpn_x86.P.....J...r<.I .F_CENTRAL_mfc100kor_x86.P...`.K...r<.I .F_CENTRAL_mfc100rus_x86.P.B..sL...r<.I .F_CENTRAL_mfc100u_x86.P9........r<.I .F_CENTRAL_mfcm100_x86.P;..PV....r<.I .F_CENTRAL_mfcm100u_x86.Pm........r<.I .F_CENTRAL_msvcp100_x86.P.........r<.I .F_CENTRAL_msvcr100_x86.P...@.....r<.I .F_CENTRAL_vcomp100_x86.P3........r<.. .FL_msdia71_dll_2_60035_x86_ln.3643236F_FC70_11D3_A536_0090278A1BB8...W..:..[..... '.."S`$..n...W..de`e. .(.$.gV...2..X@A..ra*NR<cq|...{.`.p.M.. .).JM....q..........Q.......?.........2..nL......U.f#[v..#--

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\vc_red.msi

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319., Template: Intel;0, Revision Number: {F035AD1C-45C3-4166-865F-C2F7CD4958B1}, Create Time/Date: Fri Mar 19 16:11:58 2010, Last Saved Time/Date: Fri Mar 19 16:11:58 2010, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):155136
                                                                                                                                                                                                          Entropy (8bit):6.337010677866242
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:sMf8zRfPfe6Ss7xJjc769oH12dwGNdJK0+E4mN2EKK995:ERHfeps7xRrldw7I
                                                                                                                                                                                                          MD5:CD2B99BB86BA6A499110C72B78B9324E
                                                                                                                                                                                                          SHA1:7A288418B36E681093B33DC169E4D27C2EE33EDD
                                                                                                                                                                                                          SHA-256:41F6B61E0C070C86E32D8777629DFC8E860848865FEFA0BA7D69E9FEF0A3B174
                                                                                                                                                                                                          SHA-512:17174B8F0186F05BE1E20215AAFD64797EC4F831A0D3E0E97ADE3F0A25CB6F78D1D8BF568DFEA1B2DE2ADD3A9D64AAA5B4319F7927301D5D73BBAB1B0EAAE3D5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                          C:\8ae2907c08a3ced0022a08\watermark.bmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          File Type:PC bitmap, Windows 3.x format, 164 x 628 x 24, image size 308978, resolution 2834 x 2834 px/m, cbSize 309032, bits offset 54
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):309032
                                                                                                                                                                                                          Entropy (8bit):6.583379857106919
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:yUDLmozgtuVYKKKvwUbKh5+/uWLspp2e1jSaMsb1bIZU0g0WQbO//QGVYBtGKQgc:yUDLmozvygKjzbIGgBZBkUfDfc
                                                                                                                                                                                                          MD5:1A5CAAFACFC8C7766E404D019249CF67
                                                                                                                                                                                                          SHA1:35D4878DB63059A0F25899F4BE00B41F430389BF
                                                                                                                                                                                                          SHA-256:2E87D5742413254DB10F7BD0762B6CDB98FF9C46CA9ACDDFD9B1C2E5418638F2
                                                                                                                                                                                                          SHA-512:202C13DED002D234117F08B18CA80D603246E6A166E18BA422E30D394ADA7E47153DD3CCE9728AFFE97128FDD797FE6302C74DC6882317E2BA254C8A6DB80F46
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BM(.......6...(.......t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Config.Msi\4b2a03.rbs

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                          Size (bytes):26167
                                                                                                                                                                                                          Entropy (8bit):5.432770514479796
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:kip/WPACjk4AJCK+nMUQA9qiMApsusPem6AR/G:kgWvk4AJCK+nMUQA9qiMqFI+
                                                                                                                                                                                                          MD5:6ECF0D51DB6805664B494F796FD05E3B
                                                                                                                                                                                                          SHA1:326821318ADB625E18DC4B093A1530D514A0FB46
                                                                                                                                                                                                          SHA-256:13EE31DBB96B28422EB7997066D11C47B53B025CC8FB97F489A2A82AD0BE3157
                                                                                                                                                                                                          SHA-512:C0AEDD3081309E5608308A01907AF8E1C0517BA1CE1931D557FB75D15837F94330729C8231BB4BA0F9CDACB9042388082B88739BE7756B75568E469702215F55
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:...@IXOS.@.....@.r_Y.@.....@.....@.....@.....@.....@......&.{196BB40D-1578-3D01-B289-BEFC77A11A1E};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319..vc_red.msi.@.....@ov...@.....@........&.{F035AD1C-45C3-4166-865F-C2F7CD4958B1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{8453C4E7-26E8-3408-B3A4-5940CA95BC60}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{1414BD84-D9A5-3EE5-AA73-118D7C072370}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{E2F46933-FF4F-46E0-B997-F64D2C6D4FA1}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{529D0A60-398C-38A2-97EF-82FAFA798A06}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{9983C931-37BE-3C6E-AD32-8B6E789B6881}&.{196BB40D-1578-3D01-B289-BEFC77A11A1E}.@......&.{E822F933-C70D-3CF4-A92D-7263B8ACCF30}&.{196BB40D-1578

                                                                                                                                                                                                          C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):799568
                                                                                                                                                                                                          Entropy (8bit):6.390606039798855
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:XpFqy6cpZ4jhWZFmihMuDj8Ze6U8+yJ/x7ZI2lptCatFW8ExY+P/9:TFZjZsiuuD8X+y5tlpoGNExTPF
                                                                                                                                                                                                          MD5:AAC7ED76E8DE83F80D866EFE99121F2A
                                                                                                                                                                                                          SHA1:3A7AE94AE160FEE6F539CA0AA12FAFF2C19F84F2
                                                                                                                                                                                                          SHA-256:6C45957E8BFE773FC4F9055F8E1F88C4C7105C23B039526B07FB1921410F7574
                                                                                                                                                                                                          SHA-512:78DED5095F3081847D39DCC5A3F5447583962BBFD8A7DB72FC139872B05067E756AC8BA9F55A383861DEFA9FBB52EF0CE310F385577418B79713A9A4727D338A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.yp..*p..*p..*y.D*t..*.._*q..*..Y*h..*..m*..*..l*9..*y.T*s..*p..*..*..i*i..*..\*q..*..]*q..*..Z*q..*Richp..*........PE..L......K.........."!.....t...................................................`............@.................................z..(.......................P..............................................@...................Dx.......................text....s.......t.................. ..`.data....K.......&...x..............@....rsrc...............................@..@.reloc..............^..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-ARIAL-100dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2898
                                                                                                                                                                                                          Entropy (8bit):2.9176306580811873
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ctVkl4CkIKELiERngKAuHxKjVkEmBkmPxGcR2Q2kLpH0zzCsyjj29E5dKSxWcMP1:OgY6TPqazKxQOSo
                                                                                                                                                                                                          MD5:A84E3DE53A2A506ED6AF4695BC321B44
                                                                                                                                                                                                          SHA1:BB04B5663FF6179B88C3475C52ECDECB6D771261
                                                                                                                                                                                                          SHA-256:4375DA93B3BD8957CA136A8596C0196F5BBE3E075DB5D83528B44CF4FCA6CDA2
                                                                                                                                                                                                          SHA-512:5B0D0EC02A541E698525A4B4A10802F468A087C6BE983A67D5AE4DE14E817BC9F3DC152FBF68AD89C0F7B74E96A227236361B2B81B9CD41EF567CFCC632AC6D7
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........................10PT-ARIAL-100dpi_0.tga..p... ...................!...I..............."...................#...................$...................%...0...............&...................'...K...............(...!...............)...................*...................+...................,...W...............-.......................O.............../...................0...................1...%...............2...................3...#...............4...)...............5.../...............6...5...............7...;...............8...A...............9...G...............:...S...............;...Q...............<...M...............=...S...............>...Y...............?..._...............@...%...............A...T...............B...................C...................D...................E...e...............F...k...............G...t...............H...................I...U...............J...................K...................L...q...............M...D............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-ARIAL-100dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 650 x 15 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):9794
                                                                                                                                                                                                          Entropy (8bit):0.6343491608600029
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:Ph9dberKCLuBOdBdqqn4qOvzgbnq9VpqqdbNYXFsY0DvdRLU+RJP9j6btICChd/O:vfBiV4qOHSXFsTBFYIhunIZ1l6XD7Ys
                                                                                                                                                                                                          MD5:582139D68DBAA4E31199534BD7FA44C0
                                                                                                                                                                                                          SHA1:D42DA4A0CD704795DDCBD79826DA8BC236B0F80F
                                                                                                                                                                                                          SHA-256:9C1A12C67281B0DA3F0FE29ADDB6AA7D13CB542BD105C24D56F94EE634D552C5
                                                                                                                                                                                                          SHA-512:EED7CF81307CA7796109CAD95876C3E999C826C0A3A8F73128AE127A1D1F10F6B2B8D856B79B7380EFB589090F30C52F360839DB7DB5AE14CDD36E8690E6633A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-ARIAL-200dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3058
                                                                                                                                                                                                          Entropy (8bit):3.2411493963960187
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:4gHhsJJyquEu+cFkgQMpldyFzS5lXdlBLJP7EgCTbsyreVjmkqAfiPbLQkWZaYry:qJ+NFWFWbdlB2vWmHDku5
                                                                                                                                                                                                          MD5:642715A3645956918EFB1298057B0917
                                                                                                                                                                                                          SHA1:A8B427066B136D7E3A913A5E1B3ABBB886B7309F
                                                                                                                                                                                                          SHA-256:A2E8A296D428B3F53D975562EA642D4CC628F8F80E067E2290A984ACBAE13E45
                                                                                                                                                                                                          SHA-512:4D033CA007BB67E24ACE5B3AD0DFE3585D6D6CCAB2F1A1EC1718ECCF7FF0B5F0631841AAA4184F7CC4882F3FDD67776C19E07E4EF96DFA6093129B28973843ED
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........................10PT-ARIAL-200dpi_0.tga..p... ...................!..................."...Q...............#...................$...)...............%...e...............&...;...............'...................(...................)...~...............*...0...............+...................,...................-...p.................................../...Y...............0...................1...I...............2...................3...s...............4...f...............5...L...............6...?...............7...................8...Y...............9...................:...................;...................<...................=...................>...................?...................@...M...............A...................B...................C...................D...................E...................F...................G...................H...................I...................J...................K...K...............L...A...............M................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-ARIAL-200dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1300 x 29 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):37744
                                                                                                                                                                                                          Entropy (8bit):0.6986554039535606
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:Uc6eCqZc6T7O8zQpgMS2e7Gqq8fVpiEUUYW6H7DT8SBSQLFfSXDcUqOc7bm3OSQ6:Ue
                                                                                                                                                                                                          MD5:448BE1D3548E5FE0073C767DB56B0320
                                                                                                                                                                                                          SHA1:F94FDCC55AFB8AF3828B7164807A5FB6FD90D726
                                                                                                                                                                                                          SHA-256:7AA4769C2ED69249742A302A180A0798EFEB2615649F4A51CCBE0EBE4337707F
                                                                                                                                                                                                          SHA-512:78513D3F88A6C55D0706DC9767281A1601ADA63234E4165E24D0133CB6837EE5E7E93F085791E098F623FF7C35C5D95A0C790EF0662406E0640A17BDBEA38973
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-ARIAL-300dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3428
                                                                                                                                                                                                          Entropy (8bit):3.320732685974979
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:yM8g7/eitM/qUhJq7zO3/YVTc85H7URmQdwUjpf1ROYCReUzpkRZEzDofqEp/VTE:L8g7/ei1UcqQ7d74/l9s3oCEp9TE
                                                                                                                                                                                                          MD5:9A01A600058FE761D25D47BD733AD722
                                                                                                                                                                                                          SHA1:DC666706B1B4E12D2B406A4E12903EFB63F8EE0F
                                                                                                                                                                                                          SHA-256:12DF5C9484A623C0204E089BD1B7884297FE53A2CF47D3C3B028A58089689F1A
                                                                                                                                                                                                          SHA-512:A4E3240ADA50FDABD0D80B2707CB4B0F69B6BBB0C7A262CE266BFD95CF39BEDB26535DCF481CB3A10A909F237F7385103C2A45049943D80418FA8E1D67B88B38
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......*...d.........Arial......*.".l.+.............10PT-ARIAL-300dpi_0.tga..p... .........*.........!.........*........."...Y.....*.........#...>.....*.........$.........*.........%.........*.....!...&.........*.........'.........*.........(.........*.........).........*.........*.........*.........+.........*.........,.........*.........-...N.....*...................*........./...7.....*.........0...F.....*.........1...C.....*.........2.........*.........3...".....*.........4.........*.........5.........*.........6.........*.........7...z.....*.........8.........*.........9.........*.........:.........*.........;.........*.........<...T.....*.........=...A.....*.........>.........*.........?.........*.........@...p...".*.....&...A...i.....*.........B.........*.........C.........*.........D...'.....*.........E.........*.........F...g.....*.........G...5.....*.........H.........*.........I.........*.........J.........*.........K.........*.........L...4.....*.........M.........*......

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-ARIAL-300dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1900 x 43 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):81744
                                                                                                                                                                                                          Entropy (8bit):0.7047024972799052
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:yBS/R8QqXKt0lqYUYKe08LkRBVqfjVLpcSgSzxCwdfwyydE7py0VtccMuSOK/c+N:T
                                                                                                                                                                                                          MD5:E39CEDF52C5CD02A52CD41A1ED9A6C51
                                                                                                                                                                                                          SHA1:EDBC01524A5893196483B9948B8ACE0D7FAF786E
                                                                                                                                                                                                          SHA-256:8D495B587926EDA8C10C7C18337F655B47B9BA6FAC7CB446A5A28AE9AD683519
                                                                                                                                                                                                          SHA-512:0C6D34D0F1D5151330051EAB5DD2C690A721938E0F324B07C48876E20649618F8043BA42B64B9DBE948C15498B4E1F68A8B5954857B4AEB8DD7DB41DA54B937B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............l.+.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-ARIAL-600dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3438
                                                                                                                                                                                                          Entropy (8bit):3.422547196106784
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:jr41ZKi9RDkE+0jDwy9mCZZETAp/mFj9Tb:g1ZKiXkE+s4UBE9Tb
                                                                                                                                                                                                          MD5:1A986B2158C204709363480B6D6560FA
                                                                                                                                                                                                          SHA1:C2CFD41442061E813BE2C005C7EB85034635CAA6
                                                                                                                                                                                                          SHA-256:05FA537F603A86F32D2E05F6441459CEC290620DD3E46C3FA6A23E0B1D1A79B5
                                                                                                                                                                                                          SHA-512:2D7845AE3ADB11B239A9D5DC5683C007CBA6D78B8CB16EF761744A55A94E5999826095725D0AD0D5165D9C10889C64BAC25CE6D63EDA0BA704A92D0D1596F000
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......S...d.........Arial......S.C.t.T.............10PT-ARIAL-600dpi_0.tga..p... .........S.........!.........S.........".........S.........#.......).S.....*...$.......$.S.....*...%...%...:.S.....C...&.......-.S.....2...'.........S.........(.........S.........).........S.........*.........S.........+...)...$.S.....,...,.........S.........-.........S...................S........./...=.....S.........0...s...$.S.....*...1.........S.....*...2.......$.S.....*...3.......$.S.....*...4...F...&.S.....*...5.......$.S.....*...6.......%.S.....*...7.......#.S.....*...8.......#.S.....*...9.......$.S.....*...:.........S.........;.........S.........<.......$.S.....,...=...,...$.S.....,...>...Q...$.S.....,...?...v...$.S.....*...@.......E.S.....L...A.......1.S.....2...B.......(.S.....2...C...`.....S.....6...D.......,.S.....6...E.......(.S.....2...F.......$.S.........G.......1.S.....:...H... ...*.S.....6...I.........S.........J.........S.....&...K.......,.S.....2...L...J...".S.....*...M.......3.S.....=

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-ARIAL-600dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 3700 x 84 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):310844
                                                                                                                                                                                                          Entropy (8bit):0.7579367006513039
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:EJzkzUU8B7uAWjuBPSzPLzX65tqQqzmDzT5kdKqUzH59Ki59dWXFuTBTXu6Xi8go:2
                                                                                                                                                                                                          MD5:561DAFEE6861AC2CFCE4BF7B10F7AEEE
                                                                                                                                                                                                          SHA1:E2782C7518C5C714B5AAC822A761C938C29320A9
                                                                                                                                                                                                          SHA-256:EF92590F7A0CDA8CAE626B2E53B937410B8E691AACF5793972D10B8155A8D6B0
                                                                                                                                                                                                          SHA-512:68556365897536C856FE282A098E541E1E6071263C373E26C57598EEECF54384DF576D58C4DF25B030EAF4DE7A622A337B9ED474AF15068C9067427EC6ABFBCE
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............t.T.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-OCRA10-100dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.4915509542601204
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:3YHHhpxaiB7VYu8KPADiceYuMewDiiJGzGRu86/gDiT5XxHFXpnjZUmxHVX5njJP:3dytOg7pZf7wA
                                                                                                                                                                                                          MD5:599B47BFE00AB3D3B16D11E6899BC66A
                                                                                                                                                                                                          SHA1:1CE20D8640B23C01AD66BD9E27E584DAEED44524
                                                                                                                                                                                                          SHA-256:824EE9ACB3D0C28A1ED3F8EFCE32CC4ABEEEDE2D2947E645D40E649EC5F109A0
                                                                                                                                                                                                          SHA-512:3DA69001537EB8DF9F6C88782C82A7CCD2056FF89DE7610007C9A4C8A181EED126E489585DBF270AD7199667EBA7A096C518CEB82775096D1F568FE4D5882AA9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10..........................10PT-OCRA10-100dpi_0.tga..H... ...................!..................."...................#...................$...$...............%...-...............&...6...............(...?...............)...H...............*...Q...............+...Z...............,...c...............-...l...................u.............../...~...............0...................1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...................=...................>...................?...................@...................A... ...............B...)...............C...2...............D...;...............E...D...............F...M...............G...V...............H..._...............I...h...............J...q...............K...z...............L...................M...................N..............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-OCRA10-100dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 960 x 16 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):15404
                                                                                                                                                                                                          Entropy (8bit):1.5604063426004298
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:2Edv8k/k0Y/ss8PbgWRohup5AN2RU0YEjIN1SSEZ2IETubn972Hs8asm5X:Vk0msR0kz63Eq1SSEYIETubikF
                                                                                                                                                                                                          MD5:3336B947AD964644DC59B5D5CA5A208B
                                                                                                                                                                                                          SHA1:600B60DEE5131DD5B8A721680C850A751CDB7B07
                                                                                                                                                                                                          SHA-256:E1D9F7C12F7F4841F7684509D473424B30B6D0E3E57B1944CEF5C1486F06FCEB
                                                                                                                                                                                                          SHA-512:B907B14894EAE3B925A178D51A8D412D3622C0D8964DD49B058425A0BEF2C2C27BA3F7B2A7C9EE382CAE0CA8452A091C8E3C9132CADF73C8F667AC8E587619C3
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................sL....................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-OCRA10-200dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.6794216069105823
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:2FKvU6g3tRtqEXRlz11F2VSg25lkAzV6Ue:2SiRt3heVSg6t8
                                                                                                                                                                                                          MD5:7C989895AEE6A979B7E76167F695A2AC
                                                                                                                                                                                                          SHA1:91640CC0B0B1EAA5F6F8D392B717715E3F9FC106
                                                                                                                                                                                                          SHA-256:EE077A80FAB58065D17AA98EB6A13566EF17892A9F2E8296FE30AC9413C858EA
                                                                                                                                                                                                          SHA-512:8F7D6E0E02FF7026D9266A8EEAB91A6B395CBEB7BE10195F918B602F75BCDD217B0BCB1164ECBD88588B4D79421331D44BE4F53E6B25046DF64967DE89AA882B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10..........{. .............10PT-OCRA10-200dpi_0.tga..H... ...................!..................."...$...............#...6...............$...H...............%...Z...............&...l...............(...~...............)...................*...................+...................,...................-......................................./...................0...................1... ...............2...2...............3...D...............4...V...............5...h...............6...z...............7...................8...................9...................:...................;...................<...................=...................>...................?...................@...................A...@...............B...R...............C...d...............D...v...............E...................F...................G...................H...................I...................J...................K...................L...................M...................N...*..........

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-OCRA10-200dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1915 x 32 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):61324
                                                                                                                                                                                                          Entropy (8bit):1.2813951377329098
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:W+MWi82ESlvTpH82Tc2B/ArZr2qdg8n1AZ8FBJiu078VMONPWkMdHvwl3hvEyZpa:Brw
                                                                                                                                                                                                          MD5:C42321E8097CB81D66E1C2AB3497B548
                                                                                                                                                                                                          SHA1:B31595FF83938976A73690FE311F0B583E7C3DFE
                                                                                                                                                                                                          SHA-256:6C625686DB0A0F72625940C4E1E8E02B877072F1F9CCB83DACF4E7AF2AD238EF
                                                                                                                                                                                                          SHA-512:59D28002B3B20A612D8DD905B12E7BF3043C3C7D2142BBC4E998A104F3B0A071875B213EC34C17335E142C6830D82B9D47CC31293E5075799B9D24B09F6A441A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............{. .. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-OCRA10-300dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.7007692729882984
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:Rdmw6zErZXFQk1Dr1u+c11Kt+Gw1SqDmpl0xwx/F3:DzRr0+CQtnWD4axaZ
                                                                                                                                                                                                          MD5:6B30DE40592D0464D320C3ECC9250C40
                                                                                                                                                                                                          SHA1:B6139688C797DC82BC4507397A0102DCC0386CE6
                                                                                                                                                                                                          SHA-256:80D4A90F44E5FFE8D0DD3D06A34C17A6E675FB8B091B2190564DCE08B010E875
                                                                                                                                                                                                          SHA-512:C7C2FC8B72E27A5CE5A4A20E086E4B1EAC2C556A1F88DB9AF87C025E5AF1D363AA91EA70EB67A952B0356307D77D1CB7FAE3922680C022C3671B7AF56A1F1547
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......-.&.................10PT-OCRA10-300dpi_0.tga..H... .........-.........!.........-........."...4.....-.........#...N.....-.........$...h.....-.........%.........-.........&.........-.........(.........-.........).........-.........*.........-.........+.........-.........,.........-.........-...8.....-.............R.....-........./...l.....-.........0.........-.........1.........-.........2.........-.........3.........-.........4.........-.........5.........-.........6...".....-.........7...<.....-.........8...V.....-.........9...p.....-.........:.........-.........;.........-.........<.........-.........=.........-.........>.........-.........?.........-.........@...&.....-.........A...@.....-.........B...Z.....-.........C...t.....-.........D.........-.........E.........-.........F.........-.........G.........-.........H.........-.........I.........-.........J...*.....-.........K...D.....-.........L...^.....-.........M...x.....-.........N.........-....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-OCRA10-300dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 2800 x 46 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):128844
                                                                                                                                                                                                          Entropy (8bit):1.1197701008615584
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:abbbbbbbbbJvwAgHRTelyDXnNhdktel30XTGT3sfWTpNXNNSsSwZM968ElE8HAhF:a1OrD7C
                                                                                                                                                                                                          MD5:4D6DD8C05CB298560E84845EC3138B78
                                                                                                                                                                                                          SHA1:5E98D7EEDA1BD3DFC98B152B2133D07C3A3A5CFC
                                                                                                                                                                                                          SHA-256:6694B6FD4D487DC6D99FB7347653E961CB836EF83085ACA39F137586E6920930
                                                                                                                                                                                                          SHA-512:6F947E541A45BD50322831CFBEDA3C288DB1CF630A2A3BA48E1F2FEBFD2635211F66A58F42F2D35BFBC68DE94786EB5193F65B78A88C1A2EA2F8167C747A228D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-OCRA10-600dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.7552139736822685
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:RZ+N2IUIUhVeQsNjZEI8iIEVlSn0AC8Jiu:RAlDWVe1Ru9iIEV85N
                                                                                                                                                                                                          MD5:D2B46680276BAE154B972C7C15F49564
                                                                                                                                                                                                          SHA1:3DD8FB8C47CB3EB0F8C170E65CD230EC7BB2C108
                                                                                                                                                                                                          SHA-256:93F5FE693CA004A0E06353C40B48FB23E064AD275AF1BB7133D0B27BDFB7A892
                                                                                                                                                                                                          SHA-512:6464F5B40D120288E5ED62DBB4766A10D1C425249A9EBC757DF5C392D7535F2AA6CCE80E69B664FFA56A60466706897FC89BD062E5EE669ECF2AAFC2C149C0E1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......\.M.6.^.............10PT-OCRA10-600dpi_0.tga..H... .......2.\.....2...!...3...2.\.....2..."...f...2.\.....2...#.......2.\.....2...$.......2.\.....2...%.......2.\.....2...&...2...2.\.....2...(...e...2.\.....2...).......2.\.....2...*.......2.\.....2...+.......2.\.....2...,...1...2.\.....2...-...d...2.\.....2...........2.\.....2.../.......2.\.....2...0.......2.\.....2...1...0...2.\.....2...2...c...2.\.....2...3.......2.\.....2...4.......2.\.....2...5.......2.\.....2...6.../...2.\.....2...7...b...2.\.....2...8.......2.\.....2...9.......2.\.....2...:.......2.\.....2...;.......2.\.....2...<...a...2.\.....2...=.......2.\.....2...>.......2.\.....2...?.......2.\.....2...@...-...2.\.....2...A...`...2.\.....2...B.......2.\.....2...C.......2.\.....2...D.......2.\.....2...E...,...2.\.....2...F..._...2.\.....2...G.......2.\.....2...H.......2.\.....2...I.......2.\.....2...J...+...2.\.....2...K...^...2.\.....2...L.......2.\.....2...M.......2.\.....2...N.......2.\....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\10PT-OCRA10-600dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 5430 x 94 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):510464
                                                                                                                                                                                                          Entropy (8bit):0.8932362632422378
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:qkLRNFx+n88Y8h8GaC6m18C8aGX8jvXXSiGORuDDBwzIBZuDWHOtSxG4AZktVa4n:HBAS
                                                                                                                                                                                                          MD5:4BBD775E947CD895E2D262515280137E
                                                                                                                                                                                                          SHA1:DF2A41DD56D177539DAD50A426C5D53B67302259
                                                                                                                                                                                                          SHA-256:9D25AA5C67F4FDC7AB6E1925CF46D7B29F55901CA4511EF21C7D7925AA7D5113
                                                                                                                                                                                                          SHA-512:A1B64E8760F273A67B68B0229D0CB0D5982157B33E800C62D29471AB085300025D7BA68A39CE6CB702EE3AF0C645CC233FDEFAE7A085D775CCA59D8AA9A99DB7
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............6.^.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-ARIAL-100dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3058
                                                                                                                                                                                                          Entropy (8bit):3.1027253854984527
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:canQbjWaPkucVEsbnlG2FKuDbo0Hf4Cb+d4BGEOJVH9ZoVNtqMqlILRIBqP0qwgx:c+DAeb9/AKZ0HdeE3jvm
                                                                                                                                                                                                          MD5:42DC1DE09EE7F212DF2B5152E06B3C0D
                                                                                                                                                                                                          SHA1:6AE54EA71594B88376B63DBA534A060A21AB2DEF
                                                                                                                                                                                                          SHA-256:5069198EC35DEE3520FC18563290680CDEA184FF2650EBE3ACF83A5F7A2E2177
                                                                                                                                                                                                          SHA-512:D8D04A280B81BEA5AE36F63E5912C4797FA7A54ACA5826FC110A44D5117DB8249023A6D4C5E9ADA542CB65A9A0209137E2BF8F813AC2144AB0161F3910CA2AB9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial.......... ...............12PT-ARIAL-100dpi_0.tga..p... ...................!..................."...................#...................$...d...............%...>...............&...................'...................(...................)...................*...................+...|...............,...................-......................................./...................0...................1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...................=...................>...................?...................@.../...............A...................B...&...............C...................D...................E...8...............F...................G...................H...J...............I...................J...................K...................L...................M...x............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-ARIAL-100dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 800 x 18 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):14444
                                                                                                                                                                                                          Entropy (8bit):0.6137222239827698
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:JdgqQ8qnPqrRbQ0M6quQaYARkBHI0lqFQQ49IY8oXaWGtbQH3PqZTYvfJ7sU3XU+:IWiALdpYTbAgAFe0DmWTCsi
                                                                                                                                                                                                          MD5:3F33DDDE906CF89745E1D4CE3D2A33FF
                                                                                                                                                                                                          SHA1:B0CBD603069FB94A2D144E809232874635E6E1EF
                                                                                                                                                                                                          SHA-256:916406ED74BA47D18350D7414D14C1182E0C5B987F666B8AB749A87C6E7F832C
                                                                                                                                                                                                          SHA-512:EDA4FC6933BB6D475C3C763C1D1270C42EC52EA91D36E8D70CDB6C9797B13E63867F366F766F291472DB5ACA94C0AD241262BF146AF073D61B25D1B43D45CB64
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............ .... ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-ARIAL-200dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3318
                                                                                                                                                                                                          Entropy (8bit):3.2848226447246547
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:dQfcbSBWVg16yHmt53BVeK6FmswO6aPhQURmc/HIcAx+Yulzgaa2fGwvRRX/LQkW:dQUYFmPB4LI4VRmcgcr3NFl7os4NH
                                                                                                                                                                                                          MD5:F06EF7EEADF8171B7EFA2B8BECC12E43
                                                                                                                                                                                                          SHA1:197D75D122AC85D4534B9002988FA040B37A93F7
                                                                                                                                                                                                          SHA-256:5DD1AB93109FA2026BF57F0D4B4154E43B52EBB8193C360CB2D119AC32E1EE5C
                                                                                                                                                                                                          SHA-512:61194E004F796FFAD3E07DBD0FBCCFE1C1E2D25A8C3C57393A823D65EF0F12E0C778589143DBB74E3D9F948AEB098755944A0168BD2BCBE5B4A757C50075723F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......!...d.........Arial......!...@.".............12PT-ARIAL-200dpi_0.tga..p... .........!.........!.........!........."...0.....!.........#...l.....!.........$.........!.........%...t.....!.........&.........!.........'.........!.........(.........!.........).........!.........*.........!.........+...Q.....!.........,.........!.........-...K.....!...................!........./.........!.........0.........!.........1.........!.........2.........!.........3.........!.........4.........!.........5...B.....!.........6...$.....!.........7.........!.........8.........!.........9.........!.........:.........!.........;.........!.........<.........!.........=...`.....!.........>.........!.........?.........!.........@...X.....!.........A.........!.........B...9.....!.........C...".....!.........D...r.....!.........E.........!.........F.........!.........G.........!.........H.........!.........I.........!.........J...z.....!.........K.........!.........L.........!.........M.........!......

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-ARIAL-200dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1600 x 34 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):54444
                                                                                                                                                                                                          Entropy (8bit):0.7317128838900055
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:YQ8F/SSj4weSS5ZrcAzDtSS/cp3UU9TkBsPWINFIECxQ10SlzgY91o9MfTHkrugd:b
                                                                                                                                                                                                          MD5:F8B8C71F04F750878115994008E0468B
                                                                                                                                                                                                          SHA1:8FC292C417FF64A15205B16E364DCE089233DE19
                                                                                                                                                                                                          SHA-256:8FA4385180AD2604231CB4D41FF9A77FB8A00DBFC2BA49C034F54751B90B0E89
                                                                                                                                                                                                          SHA-512:E90EC95C6C7D781C261B0FA1AA94A311A4E94BDD3221ED5693F5ACDDF6F222B9FD0FB409F494BD6D6913E31CE8BA3C0E1536B34A2137FC8F4957DE9E17301D36
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............@.".. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-ARIAL-300dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3428
                                                                                                                                                                                                          Entropy (8bit):3.3571517672450866
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:8RmfoybIG22Ph4hTSIKQEPWKTootr6t9TE:8RaTbIn2Hlst9TE
                                                                                                                                                                                                          MD5:A4233603E807639342DB01DE2331E10A
                                                                                                                                                                                                          SHA1:D98B1BBDDFB339C704BDC21AD4831ED4BD60D0D7
                                                                                                                                                                                                          SHA-256:2F5EB4C4AA628590EA178162325F685438FFA20FFF9B9B20564B472E9ABF4368
                                                                                                                                                                                                          SHA-512:C91F37B58212D87E3D2635E94AD7AC67B72874E666CB4A450838031C9A344CDDA60561D8F07B863BC2022B0798D2BC507D236F3728F76BC7D35C2E293CFAFCAB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......2...d.........Arial......2.(...3.............12PT-ARIAL-300dpi_0.tga..p... ...I.....2.........!...?.....2........."...u.....2.........#.........2.........$.........2.........%.......".2.....'...&...!.....2.........'...5.....2.........(.........2.........).........2.........*.........2.........+.........2.........,...+.....2.........-...N.....2.............:.....2........./...4.....2.........0.........2.........1.........2.........2.........2.........3.........2.........4...l.....2.........5...,.....2.........6.........2.........7...A.....2.........8...V.....2.........9...k.....2.........:...0.....2.........;.........2.........<...*.....2.........=...@.....2.........>...V.....2.........?.........2.........@...Y...).2.....-...A.........2.........B.........2.........C.........2..... ...D...W.....2..... ...E.........2.........F.........2.........G...Q.....2....."...H...X.....2..... ...I...!.....2.........J.........2.........K...<.....2.........L...Q.....2.........M.........2.....%

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-ARIAL-300dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 2200 x 51 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):112244
                                                                                                                                                                                                          Entropy (8bit):0.7425024616257148
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:Ao3JizJg+bZAMpjjrlBp8Xv7MXpgRvyn8R+JGGgUnCz+9BogLcnS2gZRetoyb9UJ:I
                                                                                                                                                                                                          MD5:4497DB7514559865DEE4B7EE8EAC8AD6
                                                                                                                                                                                                          SHA1:DCED448067258678090D72FBB0119DCBE0B3674C
                                                                                                                                                                                                          SHA-256:B270502CD0B6B4E03BD2580235D442122397C6BA82C0482E808A71124C640766
                                                                                                                                                                                                          SHA-512:748AEAEB118E630DAAEF8B119DCB62040490ECD9665581E7746773C7FB6D599823F555065F359BE420372010C4219493E218AAF76938618761B2C371B4BDF88B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............3.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-ARIAL-600dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3438
                                                                                                                                                                                                          Entropy (8bit):3.4674787716741147
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:N6fQs3hKMpD012Iyq584NcRiYT1HzW9Tb:NWEMa12Iyk8HL1a9Tb
                                                                                                                                                                                                          MD5:81D8A9F5AE09E140DE8876A7CB3D107B
                                                                                                                                                                                                          SHA1:DB29B25F21F8919D3B03DFDA19FBA44E1CC00D55
                                                                                                                                                                                                          SHA-256:55214ED98A62516873FB67F13A735FDC437652B346F839C7B00C9BDBF1175171
                                                                                                                                                                                                          SHA-512:3E462A8C9C933EC96C7478E8596A83741A7B2F19DCD1CE0E0A75F6EA7DDCDC93A20597BDE26241CBDB4D23053746D9E766C76007169A0F7D19DF50B41D570614
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......d...d.........Arial......d.P.0.e.............12PT-ARIAL-600dpi_0.tga..p... .........d.........!...~.....d.........".........d..... ...#.......1.d.....1...$.......+.d.....1...%...\...D.d.....O...&...o...5.d.....;...'...c.....d.........(.........d.........)...j.....d.........*.........d.....#...+.......*.d.....4...,...H.....d.........-.........d.............Z.....d........./...p.....d.........0.......*.d.....1...1.........d.....1...2.......*.d.....1...3...W...*.d.....1...4.......-.d.....1...5.......*.d.....1...6.......+.d.....1...7...*...*.d.....1...8.......*.d.....1...9.......*.d.....1...:...?.....d.........;...l.....d.........<.......*.d.....4...=.......*.d.....4...>.......*.d.....4...?...U...*.d.....1...@.......R.d.....Z...A.......9.d.....;...B.......0.d.....;...C.......8.d.....@...D.......5.d.....@...E...?.../.d.....;...F...|...+.d.....6...G.......;.d.....E...H...F...2.d.....@...I...Q.....d.........J.......#.d.....-...K.......5.d.....;...L...N...(.d.....1...M.......;.d.....I

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-ARIAL-600dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 4400 x 101 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):444444
                                                                                                                                                                                                          Entropy (8bit):0.7535575336993283
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:qJSEVMFmKpvHWZpYWEqZc6wxd0KyJk2gdYNw0Flc9VHxFz3Me5G3YH/7V9fiKjkZ:A
                                                                                                                                                                                                          MD5:9DD176CA7752B1F13A048C865659E933
                                                                                                                                                                                                          SHA1:97ACDA409018B1639BAAB24E771A8C1297386745
                                                                                                                                                                                                          SHA-256:A4EC86B68D56F45DC7434F0ACFE39B1402C521DCB81FCC278DBA9FEB13A4CD5F
                                                                                                                                                                                                          SHA-512:CB6D412A7D936034C1F5122587705AEAA8F44D61632646F828179F8FADA976F909A496EEC09BAD4E56EA3CC50391D2D71EA311B9E1FFBAE364782FDA45B4FC97
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............0.e.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-OCRA10-100dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.609183250375046
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:RvOYHagXBgbjzPFhy9gZ5J8yVKAfOKBsaaa4iL:JO/J290J8plKBMaBL
                                                                                                                                                                                                          MD5:A8CF7B2851A757AC3814E6FAF4780EB3
                                                                                                                                                                                                          SHA1:1EBEF432D358A2DBCD3167D2E27BA36C0159A5F5
                                                                                                                                                                                                          SHA-256:ECE5FE93E85A48CE06E637E0B6166429A5EDBB30A59871935DC94AC99BD7EC2A
                                                                                                                                                                                                          SHA-512:0072D5010F2E416095E28912B82EF74A1843D856CB2C0721F84F281F85C2072D380F9C0DAB527EB6E354B290076B91FF90EC45B0E26A7F22774D9D79DD4150F0
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10..........................12PT-OCRA10-100dpi_0.tga..H... ...................!..................."...................#...!...............$...,...............%...7...............&...B...............(...M...............)...X...............*...c...............+...n...............,...y...............-......................................./...................0...................1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...)...............=...4...............>...?...............?...J...............@...U...............A...`...............B...k...............C...v...............D...................E...................F...................G...................H...................I...................J...................K...................L...................M...................N..............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-OCRA10-100dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1170 x 20 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):23444
                                                                                                                                                                                                          Entropy (8bit):1.4802597005585163
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:6b7B9yhYA+416K43wEjpEX6njKfuNMc2QBsiubHLmZl:6b19yhYAX16KIjpEX6njKfuNH2QBJPZl
                                                                                                                                                                                                          MD5:96BA5DEAB93C335E35C0C1DD3C106803
                                                                                                                                                                                                          SHA1:45DDBF6D8A220A75335D8BD4022F83397E924886
                                                                                                                                                                                                          SHA-256:0A2A2CCF1DBE7BFC9C030119A3F4A2CDC1C66EFD0DAC293D6966939F5911D3A0
                                                                                                                                                                                                          SHA-512:84908B303401A5DB6EB6DC78167169A3DF964239057B69FE79D6B3037075D2DBD7B633F6A84A1179D0657D9D50DB15B19EB6C4B902D3403130A95FA833FD70E2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-OCRA10-200dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.693721307467483
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:9OFpTEqAIA/6DEKboXfJec/r2z2YavdHopX4QbxuRWDppqi55ZKUvOEle/1:9OFOqAd6DXboX/YalICJWDai558Udo1
                                                                                                                                                                                                          MD5:F73A4013DD4FBD49A528A37C706FE227
                                                                                                                                                                                                          SHA1:04D93F0A249B08AC0E2C6000816FD291A13A00FA
                                                                                                                                                                                                          SHA-256:90924F625305904A641B0200C7708CBDEBCDFB54B5E09CB0DBFC6149CFBFC56D
                                                                                                                                                                                                          SHA-512:72C02D5963DA0CE9BEAD72EE2FBB613246DAE58627F2B5EBC93A4D14B696C67B056AD704F5D294409BAA3A924E4794B044142E24191D2AE026BFB6B9D86A5221
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......$.....%.............12PT-OCRA10-200dpi_0.tga..H... .........$.........!.........$........."...*.....$.........#...?.....$.........$...T.....$.........%...i.....$.........&...~.....$.........(.........$.........).........$.........*.........$.........+.........$.........,.........$.........-.........$...................$........./...&.....$.........0...;.....$.........1...P.....$.........2...e.....$.........3...z.....$.........4.........$.........5.........$.........6.........$.........7.........$.........8.........$.........9.........$.........:.........$.........;...".....$.........<...7.....$.........=...L.....$.........>...a.....$.........?...v.....$.........@.........$.........A.........$.........B.........$.........C.........$.........D.........$.........E.........$.........F.........$.........G.........$.........H...3.....$.........I...H.....$.........J...].....$.........K...r.....$.........L.........$.........M.........$.........N.........$....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-OCRA10-200dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 2240 x 37 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):82924
                                                                                                                                                                                                          Entropy (8bit):1.237346860205523
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:/E9FsNw1OEYA2gDmZ58aKz5Jc0q2CW7gpiAq65EkNo7BR1k9y/hZ5:QBT
                                                                                                                                                                                                          MD5:8F1B9B7075BD089C60EB9EA97E3C85BF
                                                                                                                                                                                                          SHA1:9B1173F88E1EDE1873660FAC312A54C4B1ADC78B
                                                                                                                                                                                                          SHA-256:B6EC7076357106F3FF84CC46E7841F2D450D32717F81935CB133FF3AA8C93274
                                                                                                                                                                                                          SHA-512:A481C45DAF03D9BEFC5EE6499AD2BF4D608F77C5DCA91BCD35651204BAD4ACCA4F54CFBABAA7843BF7CC2DF3FB6181A3677E4972F59DDC0A221BAAF5B90E475F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............%.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-OCRA10-300dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.7221687066436573
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:lOm3XXtuKnpBWNi2mKel2hB7qL0GCfr3p0gyZmHX:lO2hnWNi2mKel2jqoT3mgyk
                                                                                                                                                                                                          MD5:C0A46405D22947C9ED2E4D297171E733
                                                                                                                                                                                                          SHA1:B152C09FDD435FA0D54626AFA0F256A2C284887A
                                                                                                                                                                                                          SHA-256:F15C3BF0B59545964F70A527245A0531ECBFDC5608790501174BE855C4551EA6
                                                                                                                                                                                                          SHA-512:0F1EE80A0505E16835D8164604BDBDBE7DA981CDD58DA6430A723049397E22ACFED2020D5E4BCC253DEE2F0AE9BEB32F98C03B42781613C9F72B72049E6B141E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......7.....9.............12PT-OCRA10-300dpi_0.tga..H... .........7.........!.........7........."...>.....7.........#...].....7.........$...|.....7.........%.........7.........&.........7.........(.........7.........).........7.........*.........7.........+...6.....7.........,...U.....7.........-...t.....7...................7........./.........7.........0.........7.........1.........7.........2.........7.........3.........7.........4...M.....7.........5...l.....7.........6.........7.........7.........7.........8.........7.........9.........7.........:.........7.........;...&.....7.........<...E.....7.........=...d.....7.........>.........7.........?.........7.........@.........7.........A.........7.........B.........7.........C.........7.........D...=.....7.........E...\.....7.........F...{.....7.........G.........7.........H.........7.........I.........7.........J.........7.........K.........7.........L...5.....7.........M...T.....7.........N...s.....7....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-OCRA10-300dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 3320 x 57 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):189284
                                                                                                                                                                                                          Entropy (8bit):1.0677553185239799
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:8885P4818bf8Jv1Z82s8Kfd91rzR9AfTBCBpdHydSKAFDaZK+XDegP8C6bnHdXyV:K4TjVOPv5
                                                                                                                                                                                                          MD5:F2ED6C328CA5008A9B054710EE8E780E
                                                                                                                                                                                                          SHA1:6B8BFBE48AD327C951E9A3B75230825C8215D196
                                                                                                                                                                                                          SHA-256:ED87E8B5D3EE7B12D777799A1B524DCA5C30834E360A9843D22BB47D02DA2909
                                                                                                                                                                                                          SHA-512:26EF29DFC0DA34CA8BD6AA89B07FF6894B97362D883ACD244B4F8063CAAA07ED52340A654B7B35029893AD965D5A2D1057981F5D9517D06DFD16A49EAC7BBC15
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............9.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-OCRA10-600dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.7558355124785305
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:UOZpUOWNCIrDUo/3KqKRecWjHLTDQA+0x/Oi30UrcKSqX3nPE6a8AllvUQNR6n/X:UOZ2jNfUofbLjkA+O//5c2ahXUA46e
                                                                                                                                                                                                          MD5:60269A9D66B814F9B32A3BA81599CC6E
                                                                                                                                                                                                          SHA1:6A7A74C5E56F1AFFC5AAA312390C849F1FC9BBBD
                                                                                                                                                                                                          SHA-256:47D472E5ACD1612FBAA45A142323C3F497C0A2637D3A5502B8BAA7584548E407
                                                                                                                                                                                                          SHA-512:4B43CDE22E9348F9E7BB1548BCFC7B23DFBDCEC1731BD8E20961D38213616A2D24B748BD27B1EEC601EF0EB50E8413C571D3FAEE37707E822A5F15F16B89650B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......n.\.d.p.............12PT-OCRA10-600dpi_0.tga..H... .......<.n.....<...!...=...<.n.....<..."...z...<.n.....<...#.......<.n.....<...$.......<.n.....<...%...1...<.n.....<...&...n...<.n.....<...(.......<.n.....<...).......<.n.....<...*...%...<.n.....<...+...b...<.n.....<...,.......<.n.....<...-.......<.n.....<...........<.n.....<.../...V...<.n.....<...0.......<.n.....<...1.......<.n.....<...2.......<.n.....<...3...J...<.n.....<...4.......<.n.....<...5.......<.n.....<...6.......<.n.....<...7...>...<.n.....<...8...{...<.n.....<...9.......<.n.....<...:.......<.n.....<...;...2...<.n.....<...<...o...<.n.....<...=.......<.n.....<...>.......<.n.....<...?...&...<.n.....<...@...c...<.n.....<...A.......<.n.....<...B.......<.n.....<...C.......<.n.....<...D...W...<.n.....<...E.......<.n.....<...F.......<.n.....<...G.......<.n.....<...H...K...<.n.....<...I.......<.n.....<...J.......<.n.....<...K.......<.n.....<...L...?...<.n.....<...M...|...<.n.....<...N.......<.n....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\12PT-OCRA10-600dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 6500 x 112 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):728044
                                                                                                                                                                                                          Entropy (8bit):0.8736543188757706
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:wWVt1mLQFcyvHSn2ghdPScq3EWe1C5J+t9+9LuAh1dKSg0Jg9ZafWU1gz9wUjuW1:SQfy
                                                                                                                                                                                                          MD5:4EA82F092B348DE6E7BBEFA317FE1D26
                                                                                                                                                                                                          SHA1:9968A16CEA7C588482515141E2895126C37341E3
                                                                                                                                                                                                          SHA-256:2F4B9BD5019C20DC16C4068EBC9757461511AD97225D4D533BFFA91D9493237C
                                                                                                                                                                                                          SHA-512:55E19F9D46803C30CF8398942223A571E710E02D72DEC418BC57A1E222EC5035BDA253EEBEA99DB7267787D890310D30C7E900D25257B02224E8612E8304656D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............d.p.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-ARIAL-100dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2877
                                                                                                                                                                                                          Entropy (8bit):2.9014515734713138
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:S/+jVnw89RksLfnm/xLPMOtXdsoS76GQMXz4be8xueaa7OUPa0ULHSALtK56LmSc:SwnX3LfmkstsoS7jQMXz4b9xuedO7rLs
                                                                                                                                                                                                          MD5:29A268AB69DCA005914EC0944A38CD3E
                                                                                                                                                                                                          SHA1:8DA0E84DA7F45B5FEA453D40B53A671718014412
                                                                                                                                                                                                          SHA-256:D2F4A6A16EFB64D6CA543C7B1BBB0EE010C993B8C1B80D5A78BDFBC496799932
                                                                                                                                                                                                          SHA-512:29004D097F0ADADF80A739D48B19FF3ABD5C72BE7B311A61EBA04EB75930806A4318781452758B9C2863E0F8B88A94CC96FAA32C0F4C392878824CEC654B7B15
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........................8PT-ARIAL-100dpi_0.tga..p... ...:...............!..................."...................#...................$...@...............%...!...............&...F...............'...................(...J...............)...N...............*...................+...d...............,...................-...>.................................../...^...............0...................1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...................=...................>...................?...................@...................A...j...............B...j...............C...v...............D...................E...................F...R...............G...................H...................I...................J...................K...................L...................M...R.............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-ARIAL-100dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 500 x 12 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6044
                                                                                                                                                                                                          Entropy (8bit):0.726828000834104
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:bljtojGqq8ePdqW8rbJF2rq+zWWCQAyb+HWA0SCHgmo7g6xATFbYmwtfPGA7eUqF:ZWj0Qf2rcFQ/VAEro7HxARbDwtHZ7C9
                                                                                                                                                                                                          MD5:D9CA40750B4CB752BC02A8EEE8716428
                                                                                                                                                                                                          SHA1:BB9DA97A6A3CDE61622FAC8483E073156108FFCA
                                                                                                                                                                                                          SHA-256:4B2023D822DC747DF1DA9127E8F7C8624A2488E83BA6785F81C0AD17509DABFF
                                                                                                                                                                                                          SHA-512:9D0B802925EFBBC480842176C0267CE0C23CF3BBAC948760DD18C480A24A3F711E7E5B1DDCAF277BC862C9A2B8EB14CEED45B9E8F9DC7211F48602F6E47E9E6D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-ARIAL-200dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3057
                                                                                                                                                                                                          Entropy (8bit):3.165463306756613
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:b6nP2JcVr0497J0ottjzyLPNIbD/FfTCzTZ4AHweE02vfMITD8PLk7ZaYDGHjeIj:bbKZN70WQBIbuTlweErT3m
                                                                                                                                                                                                          MD5:F8F1E147439707622834821B52A7B164
                                                                                                                                                                                                          SHA1:E2B73166A96F09B25B48C6F57E6556AD0DD12707
                                                                                                                                                                                                          SHA-256:B0481302FCF9A5D8DF3D354206111231762A0D6EAB074044C02313D6AA51A72F
                                                                                                                                                                                                          SHA-512:EB4B56D0C84164CB8FD1A313E7FCED42AB02440D0B7887F31AB71AC92C466876FD540303C4C49A4E9D55E75E8A2BA5ECAEB9500C626F3F8320E3BE7867CC93A3
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........................8PT-ARIAL-200dpi_0.tga..p... ...................!..................."...c...............#...................$...................%...M...............&...................'...................(...]...............)...................*...................+...................,...................-...i.................................../...A...............0...#...............1...u...............2...-...............3...7...............4...................5...A...............6...K...............7...U...............8..._...............9...i...............:...................;...................<...s...............=...}...............>...................?...................@...(...............A...z...............B...................C...................D...'...............E...................F...................G...................H...{...............I...................J...*...............K...3...............L...................M.................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-ARIAL-200dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1050 x 23 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):24194
                                                                                                                                                                                                          Entropy (8bit):0.7584763606736251
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:Ph8VVLuZd6UiU1XD3868Z8GDbA98K7v7DOD3Z81GY/UU8x/o09Fc3rpDfScJ0LzP:c
                                                                                                                                                                                                          MD5:596BA81E3F315973A9106A739718F3C7
                                                                                                                                                                                                          SHA1:63FF6FB1D84FF576DE5A403A7CF1783C569B554F
                                                                                                                                                                                                          SHA-256:C1CEDD397A7524CA8F2B9C3B7A2649A6FF4282700EABAF07C30A926B12D3AFA8
                                                                                                                                                                                                          SHA-512:D629C436FC780644899BA88F738AA36053808248E24933A1FF2173E0312A7C6F9467D6DE6C8FB9938E29495297E60178FDD72F9D8516BF6440B3552F98B6B54F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-ARIAL-300dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3317
                                                                                                                                                                                                          Entropy (8bit):3.2823099008263275
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:dQ5cbSBWVg16yHmt53BVeK6FmswO6aPhQURmc/HIcAx+Yulzgaa2fGwvRRX/LQkW:dQ6YFmPB4LI4VRmcgcr3NFl7os4NH
                                                                                                                                                                                                          MD5:CC44D4BBB271241AC3C055DCEB06EFC4
                                                                                                                                                                                                          SHA1:50492722B9FD8B070D2345A320E54209784A469F
                                                                                                                                                                                                          SHA-256:FA9C5A2F691236A3071AC142243C76471133B6866FCAA7E186025AE658D9BB1C
                                                                                                                                                                                                          SHA-512:AF140AE21C4467881BF5195F854FC6810DEF5B065BF9C2B5B5FAD1A045CE14DA39792868B89A23CA3D4C9BCAC4F5599B3F7C6931D4A17AC31472A55FD7CCADB8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......!...d.........Arial......!.....".............8PT-ARIAL-300dpi_0.tga..p... .........!.........!.........!........."...0.....!.........#...l.....!.........$.........!.........%...t.....!.........&.........!.........'.........!.........(.........!.........).........!.........*.........!.........+...Q.....!.........,.........!.........-...K.....!...................!........./.........!.........0.........!.........1.........!.........2.........!.........3.........!.........4.........!.........5...B.....!.........6...$.....!.........7.........!.........8.........!.........9.........!.........:.........!.........;.........!.........<.........!.........=...`.....!.........>.........!.........?.........!.........@...X.....!.........A.........!.........B...9.....!.........C...".....!.........D...r.....!.........E.........!.........F.........!.........G.........!.........H.........!.........I.........!.........J...z.....!.........K.........!.........L.........!.........M.........!.......

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-ARIAL-300dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1500 x 34 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):51044
                                                                                                                                                                                                          Entropy (8bit):0.7579929130939385
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:FQ8F/SS/4weSS1ZrcAzDtSSzcp3UU9TkBsPWMNFIECxQx0Slzgk91o9MfTHkrugl:A
                                                                                                                                                                                                          MD5:D4AD57A2E3C116086258D646F3F76A0E
                                                                                                                                                                                                          SHA1:047945F7013D661FDB0F3F105F8629646FFFF939
                                                                                                                                                                                                          SHA-256:840C32730278C207C6EC94272F91F49992371FDF418FE10BE687A48CF9821207
                                                                                                                                                                                                          SHA-512:C9E550BD0D3713BA2E1698FD70BBF9033E837AB1AD74171221E1005782CB478174E458254D6971229BBB7858175255FEF2502D41BEC033DB0D0884F26EAC4CB5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............".. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-ARIAL-600dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3437
                                                                                                                                                                                                          Entropy (8bit):3.4117486433608275
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:pGBR0vr5orBiU1r4GO/1O0GTqqZfeCXEC5W6O5Rv/ow7xTIVyR8bD9RHGz/N/GF1:pn5K1r4GO/1OnZZ3UIODHoHRmz989Tj
                                                                                                                                                                                                          MD5:217A6D466B5D7859574D6996DFA74E2C
                                                                                                                                                                                                          SHA1:093A48EEE6DEEA8819C9867CF6035E02058FC40F
                                                                                                                                                                                                          SHA-256:D84226F3EA8E9C4FC892840046DB4E5FCFAAB81F9209EAD95EABC9678391AA14
                                                                                                                                                                                                          SHA-512:5F43B97C7D6469F4B7FD73C939F3B0B2405818C47366B8DF44B59EE949FB2EC7E74F89CF888DC914122CDD245B79476BB63BF78AD8E74FC237FF037CBB3C69C5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......C...d.........Arial......C.6...D.............8PT-ARIAL-600dpi_0.tga..p... ...-.....C.........!...'.....C.........".........C.........#.......!.C.....!...$.........C.....!...%.........C.....5...&...-...$.C.....(...'.........C.........(...K.....C.........)...x.....C.........*...v.....C.........+.........C.....#...,.........C.........-.........C...................C........./.........C.........0...V.....C.....!...1...+.....C.....!...2.........C.....!...3.........C.....!...4.........C.....!...5.........C.....!...6...<.....C.....!...7...".....C.....!...8...>.....C.....!...9...Z.....C.....!...:...!.....C.........;.........C.........<...Y.....C.....#...=...v.....C.....#...>.........C.....#...?...v.....C.....!...@.......7.C.....=...A.......).C.....(...B....... .C.....(...C.......%.C.....+...D...R...#.C.....+...E....... .C.....(...F.........C.....%...G...C...(.C...../...H...F...!.C.....+...I.........C.........J...^.....C.........K.......$.C.....(...L.........C.....!...M.......).C.....1.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-ARIAL-600dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 3000 x 68 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):204044
                                                                                                                                                                                                          Entropy (8bit):0.7376266164523018
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:08WgJpwq5j90nm4vUMtqr+uf4hZA/1xL3JVU/9YSPUf3oB7SagbZMoYc+76aEaEF:n
                                                                                                                                                                                                          MD5:755E5A511D6118D7463BB0D5BB8AFC08
                                                                                                                                                                                                          SHA1:F5F17137D18C129CB620F72BC37FB041315A78BB
                                                                                                                                                                                                          SHA-256:58CB5ECC3430502B90EF754214B83A0AFDC6C573669FABA37F5DD4286A8C5568
                                                                                                                                                                                                          SHA-512:2ADC972A02293FD8ABD39FDFE56D6B5456E4DDC1EDC3B30A7E000AB5AFF6EB4514A9CA6FAFBECEA2AD9A0597E12FA667BA1D1098270DFB35DA467DEAD3767AC2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............D.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-OCRA10-100dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2204
                                                                                                                                                                                                          Entropy (8bit):2.5077962792151385
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:yYHLOjR3+BX8vDHqJHfC0gGo/W9gv2WHh:yGER3+BX87HqJHfxo/Nuc
                                                                                                                                                                                                          MD5:CD6D2ED5EB50B15CDE613169BD2CD178
                                                                                                                                                                                                          SHA1:AA8A04D9B5D1C8EC0AEB50BBAF643CBCD37011C2
                                                                                                                                                                                                          SHA-256:16BBA19E984462B2AF387446EF0F0037895D28B249AB4674E9E11A0796FCDEEF
                                                                                                                                                                                                          SHA-512:7F7FB9EC566545C29EF39B0EDBFFDD1BA306823ED3FBE1519C96EC5757F5C8F571730CA786A9D514EFC2DE75F27D02B6233C5F9B3DDBE45F8070063AC8F4FF72
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10..........\...............8PT-OCRA10-100dpi_0.tga..H... ...................!..................."...................#...................$... ...............%...(...............&...0...............(...8...............)...@...............*...H...............+...P...............,...X...............-...`...................h.............../...p...............0...x...............1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...................=...................>...................?...................@...................A...................B...................C...................D...................E... ...............F...(...............G...0...............H...8...............I...@...............J...H...............K...P...............L...X...............M...`...............N...h...........

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-OCRA10-100dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 860 x 13 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):11224
                                                                                                                                                                                                          Entropy (8bit):1.7571414506154819
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:eP91vg99WJfpGE4gW7ELjTqaHqHgMfx+/7:eP9pg99WJgE4gW7UjmaHqHgox+/7
                                                                                                                                                                                                          MD5:58E2C4265CF0F94677ADD0D8D397BF38
                                                                                                                                                                                                          SHA1:54B8BB824DF307E60736F23DA9D6737D7B3B7719
                                                                                                                                                                                                          SHA-256:B2E3DE7A50C4F85190C2A192A426DC3D5C204055DF3CCF5B58733F186594A861
                                                                                                                                                                                                          SHA-512:88290F78C207A75E44789449B524FF51E6D3058AD98FAF234F7AEC0814BC6FB2F2D6D8390C9B36793A93A3D0B83319050AA10237D10D292C447F3458DD9B8D11
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............\.... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................J..........................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-OCRA10-200dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2204
                                                                                                                                                                                                          Entropy (8bit):2.6412576017007408
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:pFuSmKfTcxuGjUdaXw5Pm7ctfXKVu5L++egfytSPjWyoon62PfoXtyjchuCMtvo2:pMliTcxuGjUdaXw5e7clXKVUL+hgfyty
                                                                                                                                                                                                          MD5:EFB3EC56ED4184B4F5A16FF794E640D9
                                                                                                                                                                                                          SHA1:80FD816D02F9AF2ACD0A703622C126530B50FC77
                                                                                                                                                                                                          SHA-256:C15971469E26D35EA5259A4D90880DE898D553D7212471433AD83D8F7991DFB9
                                                                                                                                                                                                          SHA-512:FE95A4934B45B52F5B55D4AF9EF3EBD24020F7925BAF060A0A84015D21615C433826838DA29E2DA0F15BA20F9B06C785BAD4776C0A42491C5D3C4900D20871E4
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10..........................8PT-OCRA10-200dpi_0.tga..H... ...................!..................."...................#...*...............$...8...............%...F...............&...T...............(...b...............)...p...............*...~...............+...................,...................-......................................./...................0...................1...................2...................3...................4...................5...................6...&...............7...4...............8...B...............9...P...............:...^...............;...l...............<...z...............=...................>...................?...................@...................A...................B...................C...................D...................E...................F...................G...................H..."...............I...0...............J...>...............K...L...............L...Z...............M...h...............N...v...........

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-OCRA10-200dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1500 x 25 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):37544
                                                                                                                                                                                                          Entropy (8bit):1.4252308764934576
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:5N/BlGZourEoL3B9oLnJPNWo5tDUPoVqbfhAKTFAr7O05/GcFL1SLiPVru7S:LvwoGEorB9ojJPooPDEoVqbfhAKTar7T
                                                                                                                                                                                                          MD5:EFEA5E70F1E59B73489C9DE41D13FC2D
                                                                                                                                                                                                          SHA1:3944C01A59816F2A61CB28148C08592477BC55A4
                                                                                                                                                                                                          SHA-256:5F601A923214F92F592D444CC056FFCF6304C5A11A793655C2C0E0DD9395DC59
                                                                                                                                                                                                          SHA-512:7B853A1F49662489F6ACCFC3835769B1179CA33472B16E3A250C782AD416617878211DF41349AB0C732140C14BDC94EF3F3D287EA37A5465E61E690A18EF271F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-OCRA10-300dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2204
                                                                                                                                                                                                          Entropy (8bit):2.6894722219470664
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:smpTEqAIA/6DEKboXfJec/r2z2YavdHopX4QbxuRWDppqi55ZKUvOEle/1:smOqAd6DXboX/YalICJWDai558Udo1
                                                                                                                                                                                                          MD5:D6ACE7ED67E83145BF40DAA0CE5D72CE
                                                                                                                                                                                                          SHA1:8B80DD595010F1F29DD7F912F0A6BF3ABEBA58C6
                                                                                                                                                                                                          SHA-256:75F45D4004CE0E7CA709EF91DB190D647F110A419F4470E9453CBE89FC7A4125
                                                                                                                                                                                                          SHA-512:2230EF889C0E41F786F3A1A7678D8C921A3665625B1D1C1B889C54BF09F5EB4889A269B6DFCEF37A338E357B8AB47DCBB7B6D8DC4930D44F29A9C613A7B41C1C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......$.....%.............8PT-OCRA10-300dpi_0.tga..H... .........$.........!.........$........."...*.....$.........#...?.....$.........$...T.....$.........%...i.....$.........&...~.....$.........(.........$.........).........$.........*.........$.........+.........$.........,.........$.........-.........$...................$........./...&.....$.........0...;.....$.........1...P.....$.........2...e.....$.........3...z.....$.........4.........$.........5.........$.........6.........$.........7.........$.........8.........$.........9.........$.........:.........$.........;...".....$.........<...7.....$.........=...L.....$.........>...a.....$.........?...v.....$.........@.........$.........A.........$.........B.........$.........C.........$.........D.........$.........E.........$.........F.........$.........G.........$.........H...3.....$.........I...H.....$.........J...].....$.........K...r.....$.........L.........$.........M.........$.........N.........$.....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-OCRA10-300dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 2250 x 37 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):83294
                                                                                                                                                                                                          Entropy (8bit):1.2332020947298008
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:jErFszwjOEia2gJkZH84KzTJc0Q2CWFgpiAM65EWNo1DN1k9y/hZh:CHf
                                                                                                                                                                                                          MD5:AB64259291B46C739F072868D63F1CB7
                                                                                                                                                                                                          SHA1:1C5ECB6C93D138095970DACC409A43B61653E508
                                                                                                                                                                                                          SHA-256:C7DC605AFACBE893EE6B5996560AA76B8FFF1176602AF20823800BFFD88C255E
                                                                                                                                                                                                          SHA-512:C150F673F87BEAA78CB4D69FF47252F61A947AFB66558F98E6812C87984E014EBE4C8F74FEB2F9F82F3B55A7193D3E60E575D12E7EB8D304D615610CE3182C1F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............%.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-OCRA10-600dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2204
                                                                                                                                                                                                          Entropy (8bit):2.72095553940469
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:NZjJx4I4rYY1/CW6v+0f/ql0ttaoGSGQNP:N74rL1a20f/qsq+5
                                                                                                                                                                                                          MD5:729FCD23C2FFFBAA54A67239BF621772
                                                                                                                                                                                                          SHA1:5952D35F196B0B0F150F7C9C32B9CC4BD4C8DD91
                                                                                                                                                                                                          SHA-256:EAB7278D37D2D8EC571E885EC7599B4C68C1E7BC382C8D5066932A26F1EC5ED5
                                                                                                                                                                                                          SHA-512:8D2D8492EFBCE43DEADA282AF2913A7CD7D092E1E8D415F7E4DE1C5489CC6BD0832553AEB4C146B30396843FEA450DCD4FB8D8E0514135380C66EBD346DE2986
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......I.=.0.J.............8PT-OCRA10-600dpi_0.tga..H... .......(.I.....(...!...)...(.I.....(..."...R...(.I.....(...#...{...(.I.....(...$.......(.I.....(...%.......(.I.....(...&.......(.I.....(...(.......(.I.....(...)...H...(.I.....(...*...q...(.I.....(...+.......(.I.....(...,.......(.I.....(...-.......(.I.....(...........(.I.....(.../...>...(.I.....(...0...g...(.I.....(...1.......(.I.....(...2.......(.I.....(...3.......(.I.....(...4.......(.I.....(...5...4...(.I.....(...6...]...(.I.....(...7.......(.I.....(...8.......(.I.....(...9.......(.I.....(...:.......(.I.....(...;...*...(.I.....(...<...S...(.I.....(...=...|...(.I.....(...>.......(.I.....(...?.......(.I.....(...@.......(.I.....(...A... ...(.I.....(...B...I...(.I.....(...C...r...(.I.....(...D.......(.I.....(...E.......(.I.....(...F.......(.I.....(...G.......(.I.....(...H...?...(.I.....(...I...h...(.I.....(...J.......(.I.....(...K.......(.I.....(...L.......(.I.....(...M.......(.I.....(...N...5...(.I.....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\8PT-OCRA10-600dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 4400 x 74 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):325644
                                                                                                                                                                                                          Entropy (8bit):0.960508907831785
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:iBoqJ8aicj9+hCwjha/FPIb3SqW7sxHBTjMSRyy6Io86YocRzz3Pxut/OvoG+TgV:52G5jZ
                                                                                                                                                                                                          MD5:31D0F3CA574F7915C243160B737F0EB4
                                                                                                                                                                                                          SHA1:C10D8540C7566A487F340D00A26FE665D5980A2F
                                                                                                                                                                                                          SHA-256:C37897B545868E651A348F73EB3032E1BE7A42B5835C5DA3E0625DAF4476539F
                                                                                                                                                                                                          SHA-512:79712CDA5A3A60E277B2D03F7F64A1A230E2903EC24EEA08EB4A52382F4A4B5200E5D619495CADF895B96EEE69AE53F9B61F8BC3EC53BC5AB703FDC2C60655E5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............0.J.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\9PT-ARIAL-100dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2897
                                                                                                                                                                                                          Entropy (8bit):2.9695186302821264
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:iAYtWLd35SBFcPssMaGSY2naewHcS73HQog5dKSxWcMPsw1IZNseKqKeWQU3LSkX:i2pYGjgD3HQrKxQOSo
                                                                                                                                                                                                          MD5:E6AD0D02508563AB6B0E71D771E7968B
                                                                                                                                                                                                          SHA1:D7F1997A866F964CB6FBB2C069662D75FE34E2A3
                                                                                                                                                                                                          SHA-256:E0C9680CAF6E60F3C0C1B5352C83F27EFC6E02C653AA098A17CA12A5C495EF31
                                                                                                                                                                                                          SHA-512:01EF36F2A6B8410A414FFC984A06D2742125E3FAAEB7D87592A0468AFD90750D15A376FEDD62DD99C9E3AFFAC11808F2215DA8D66ECF057CFF2240F5A7DAE3E5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........X...............9PT-ARIAL-100dpi_0.tga..p... ...................!..................."...................#...................$...................%...R...............&...*...............'...,...............(...................)...................*...................+...................,...&...............-.......................$.............../...................0...................1...................2...................3...................4...r...............5...................6...................7...S...............8...................9.../...............:...*...............;...(...............<...................=...................>...................?...................@...................A...J...............B...;...............C...G...............D...Y...............E...................F...e...............G...................H...................I...4...............J...j...............K...................L...5...............M...B.............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\9PT-ARIAL-100dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 600 x 14 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):8444
                                                                                                                                                                                                          Entropy (8bit):0.6450671135015665
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ILzehykPMi4//PtKTy3hTkWhAT902yZWh/O:y
                                                                                                                                                                                                          MD5:2C47EFC4C7C816D6DB3B5849ECAB5300
                                                                                                                                                                                                          SHA1:50DAFE6234A900AD64B58B7A8FA9491B9F426131
                                                                                                                                                                                                          SHA-256:49D412BF9DCFAAF2F32D58F0A3A823E417D25DA7D872379C47F88A341EE8D35C
                                                                                                                                                                                                          SHA-512:06996E1CF8D2013BEEE952E4F36F3EFADEB57318F97B519D4B1BA4ADAED01D6CD3E11E98F470A3AE12DB0456467E99255B5A99694B169A11C8229FF4E13B878F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............X.... ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\9PT-ARIAL-200dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3057
                                                                                                                                                                                                          Entropy (8bit):3.167983330030016
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:WR2aYI28h7TYUED62bNmOS7L9mpIsnRoFMLkqi55DllP4jydK1zsR8tBDRAP/vc+:WrYUgl+2RmpL9mpIsn+Fd5GzJmHDku5
                                                                                                                                                                                                          MD5:5DC7E9AD26A8FF2759B353B041D308D9
                                                                                                                                                                                                          SHA1:A2E1B1E6B1C1B6B9574D18CA1083C362559155B3
                                                                                                                                                                                                          SHA-256:A94D7F62E0142E1F8865F8242C96820D576023404CEB5F75DC2084E85D511A6C
                                                                                                                                                                                                          SHA-512:1E6B41081C3338E35497CBA1E8EE1AB5E9D8BD7B169194D5A0E58363125777979FE1A60B344E41B59DE18EC3B1348AAB726E6D3870066E5B37C56CA52D3CB796
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........................9PT-ARIAL-200dpi_0.tga..p... ...+...............!..................."...................#...................$...@...............%...................&...I...............'...................(...................)...................*...6...............+...x...............,...................-...v.................................../...R...............0...a...............1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...-...............=...:...............>...G...............?...................@...K...............A...................B...................C...................D...................E...................F...................G...................H...Y...............I...................J...................K...y...............L...T...............M.................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\9PT-ARIAL-200dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1425 x 27 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):38519
                                                                                                                                                                                                          Entropy (8bit):1.6436496160004124
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:oSdVTQHsdSUpRU0ykA08D6LHIwsgDihf5TyNvz+/r06Z++cW57v1AQDLU4+kBInN:LSMRp5HRDsTPiNMJ7AJqtY
                                                                                                                                                                                                          MD5:7F93406E4DD1E1D715C2DDD19F4F0D41
                                                                                                                                                                                                          SHA1:8C09D1050C33E17326C10F255EC79E2CA016C80C
                                                                                                                                                                                                          SHA-256:5D6C070816DFC29DECF5A5D622BFD4221131EB9A9DFF0BB61D4A62C9492AA9A2
                                                                                                                                                                                                          SHA-512:FCE537B4EFF7FDDFDBE659F40EEA00F0DF5AFAAAAD9543A4588BF068B8AB7A6CD3C9704A6DBE769DE4A2FE42FE86935CB4186D47E8ED10F1B6B408277CB08897
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\9PT-ARIAL-300dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3317
                                                                                                                                                                                                          Entropy (8bit):3.293481194050177
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:o7STbYKtinfXO+tfHJwNFoqOswLC4vLf1ROYeReUzpkRZEzDorpEV:o78bPufXIoqOwMBs3oFEV
                                                                                                                                                                                                          MD5:0D5704585482BFA173C0875C7AEEC9DA
                                                                                                                                                                                                          SHA1:EEFBDCFD3A4487E92E6B7183D826BDFC5AD65AA6
                                                                                                                                                                                                          SHA-256:85CB190080DDE3CDAE7F313D66C0131E7885BD9BC514E6A252E7EAD6A46A37F3
                                                                                                                                                                                                          SHA-512:33E806974B357F7D09338EBE842727ABDD033B2400620BDBE5BED77ABC992833438B0E412A93D04E1C42A4DD5D4BB44ECB2DDB8B20F1674AE9DA3640D49D6409
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......&...d.........Arial......&.....'.............9PT-ARIAL-300dpi_0.tga..p... ...&.....&.........!.........&........."...u.....&.........#.........&.........$.........&.........%.........&.........&.........&.........'...".....&.........(.........&.........).........&.........*...V.....&.........+.........&.........,...*.....&.........-...a.....&.............:.....&........./.........&.........0.........&.........1.........&.........2...u.....&.........3...d.....&.........4.........&.........5...B.....&.........6... .....&.........7...S.....&.........8.........&.........9.........&.........:...F.....&.........;...>.....&.........<.........&.........=.........&.........>.........&.........?...1.....&.........@...c.....&....."...A...k.....&.........B.........&.........C.........&.........D.........&.........E.........&.........F...'.....&.........G.........&.........H...\.....&.........I...J.....&.........J...0.....&.........K.........&.........L...!.....&.........M.........&.......

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\9PT-ARIAL-300dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1700 x 39 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):66344
                                                                                                                                                                                                          Entropy (8bit):0.7289775233413816
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:1pdEzskzP6LzhCr0efStz1DOSUbQEqBrzzlSVUSazOhJjcTzVjwY5iSl+wO5tYXk:+
                                                                                                                                                                                                          MD5:95BB6DD10F72E43B0EDE93A9D9102544
                                                                                                                                                                                                          SHA1:BF5C02D93E865F3566CECF2BA3E8DC76EC1AABC1
                                                                                                                                                                                                          SHA-256:8368BF5279F5D354B91A79522BFD5532B96D78F198DDB4938F9FFBC0481DD9B6
                                                                                                                                                                                                          SHA-512:3B9C2967ED2F93DEE8F0F68DFB209D28B0B5F15FDA5615AB6AF11F181B79AEF7D1F9DF9A04213467122A5C568E9973051081DE96E36F9CE498AD4FF1E72AC762
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............'.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\9PT-ARIAL-600dpi.fnt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3437
                                                                                                                                                                                                          Entropy (8bit):3.4289685103195504
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:sdZ6CG7K2+HMbZg567lzsAQLKL8mympHk8vUGpR3ibD9cH8mFi/GF/VT7n:so7KVHMpsDIFh9TeccmFy89Tj
                                                                                                                                                                                                          MD5:CC1F1CE9C164D61DB51A8966A79D7C47
                                                                                                                                                                                                          SHA1:10BC345D847335A0F6AAF0FFEEE8FED497AB65EC
                                                                                                                                                                                                          SHA-256:FB00488DD96929B89684A894161458F3977513530637647750E047BD9D8DD6B6
                                                                                                                                                                                                          SHA-512:9C5FAEEF43A7882B3ACC7B0E00D181590434D06DEB61CCED5B428AD5DE95A9115EFA9106BA696F5EC8FDA9F610C6EF7726F1B9C74EAD4EDA8A07AE43A2408BAA
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......K...d.........Arial......K.<...L.............9PT-ARIAL-600dpi_0.tga..p... .........K.........!...j.....K........."...).....K.........#.......$.K.....%...$.........K.....%...%.......4.K.....<...&...c...(.K.....-...'...N.....K.........(.........K.........).........K.........*.........K.........+....... .K.....'...,...q.....K.........-.........K...................K........./.........K.........0...X.....K.....%...1.........K.....%...2...x.....K.....%...3.........K.....%...4.......!.K.....%...5.........K.....%...6...U... .K.....%...7.........K.....%...8.........K.....%...9.........K.....%...:...U.....K.........;...x.....K.........<.........K.....'...=...4... .K.....'...>...X.....K.....'...?...x.....K.....%...@.......>.K.....D...A.......-.K.....-...B.......%.K.....-...C.......*.K.....0...D.......(.K.....0...E...b...$.K.....-...F.......!.K.....)...G...Y...-.K.....4...H...T...&.K.....0...I...F.....K.........J.........K....."...K.......(.K.....-...L...4.....K.....%...M...m.../.K.....7.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\9PT-ARIAL-600dpi_0.tga (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 3300 x 76 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):250844
                                                                                                                                                                                                          Entropy (8bit):0.7661069044348454
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:ge/4XkQI+lyqe9tBWYCH3HSGuSXBpNzUkxNKA1HRKX4v+8N99iRIOUeO6qDX7Jhv:6
                                                                                                                                                                                                          MD5:629F13E1A4CFF9AD3785D3BA56BC6D39
                                                                                                                                                                                                          SHA1:7EDB889F6AFB1ECF6BC2DEF15AEDA2B3E17DD9E6
                                                                                                                                                                                                          SHA-256:658B6A55A531912D2DA97C0F9D7AB40B2B073DB0884FDFE5EF19E9E9C0D1458F
                                                                                                                                                                                                          SHA-512:616C03B3AFFD4BB45C0B8C890EC3FED0B94B916C98EB921DF01B94187B8025D87679BFF5C65812FCC59C2C49C5D7E3E06AD20D1B8A6D737D09A508B535B3C188
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............L.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-23988.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 6500 x 112 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):728044
                                                                                                                                                                                                          Entropy (8bit):0.8736543188757706
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:wWVt1mLQFcyvHSn2ghdPScq3EWe1C5J+t9+9LuAh1dKSg0Jg9ZafWU1gz9wUjuW1:SQfy
                                                                                                                                                                                                          MD5:4EA82F092B348DE6E7BBEFA317FE1D26
                                                                                                                                                                                                          SHA1:9968A16CEA7C588482515141E2895126C37341E3
                                                                                                                                                                                                          SHA-256:2F4B9BD5019C20DC16C4068EBC9757461511AD97225D4D533BFFA91D9493237C
                                                                                                                                                                                                          SHA-512:55E19F9D46803C30CF8398942223A571E710E02D72DEC418BC57A1E222EC5035BDA253EEBEA99DB7267787D890310D30C7E900D25257B02224E8612E8304656D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............d.p.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-2PFLN.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 3300 x 76 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):250844
                                                                                                                                                                                                          Entropy (8bit):0.7661069044348454
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:ge/4XkQI+lyqe9tBWYCH3HSGuSXBpNzUkxNKA1HRKX4v+8N99iRIOUeO6qDX7Jhv:6
                                                                                                                                                                                                          MD5:629F13E1A4CFF9AD3785D3BA56BC6D39
                                                                                                                                                                                                          SHA1:7EDB889F6AFB1ECF6BC2DEF15AEDA2B3E17DD9E6
                                                                                                                                                                                                          SHA-256:658B6A55A531912D2DA97C0F9D7AB40B2B073DB0884FDFE5EF19E9E9C0D1458F
                                                                                                                                                                                                          SHA-512:616C03B3AFFD4BB45C0B8C890EC3FED0B94B916C98EB921DF01B94187B8025D87679BFF5C65812FCC59C2C49C5D7E3E06AD20D1B8A6D737D09A508B535B3C188
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............L.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-3296A.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 500 x 12 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6044
                                                                                                                                                                                                          Entropy (8bit):0.726828000834104
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:bljtojGqq8ePdqW8rbJF2rq+zWWCQAyb+HWA0SCHgmo7g6xATFbYmwtfPGA7eUqF:ZWj0Qf2rcFQ/VAEro7HxARbDwtHZ7C9
                                                                                                                                                                                                          MD5:D9CA40750B4CB752BC02A8EEE8716428
                                                                                                                                                                                                          SHA1:BB9DA97A6A3CDE61622FAC8483E073156108FFCA
                                                                                                                                                                                                          SHA-256:4B2023D822DC747DF1DA9127E8F7C8624A2488E83BA6785F81C0AD17509DABFF
                                                                                                                                                                                                          SHA-512:9D0B802925EFBBC480842176C0267CE0C23CF3BBAC948760DD18C480A24A3F711E7E5B1DDCAF277BC862C9A2B8EB14CEED45B9E8F9DC7211F48602F6E47E9E6D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-3OKOC.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.693721307467483
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:9OFpTEqAIA/6DEKboXfJec/r2z2YavdHopX4QbxuRWDppqi55ZKUvOEle/1:9OFOqAd6DXboX/YalICJWDai558Udo1
                                                                                                                                                                                                          MD5:F73A4013DD4FBD49A528A37C706FE227
                                                                                                                                                                                                          SHA1:04D93F0A249B08AC0E2C6000816FD291A13A00FA
                                                                                                                                                                                                          SHA-256:90924F625305904A641B0200C7708CBDEBCDFB54B5E09CB0DBFC6149CFBFC56D
                                                                                                                                                                                                          SHA-512:72C02D5963DA0CE9BEAD72EE2FBB613246DAE58627F2B5EBC93A4D14B696C67B056AD704F5D294409BAA3A924E4794B044142E24191D2AE026BFB6B9D86A5221
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......$.....%.............12PT-OCRA10-200dpi_0.tga..H... .........$.........!.........$........."...*.....$.........#...?.....$.........$...T.....$.........%...i.....$.........&...~.....$.........(.........$.........).........$.........*.........$.........+.........$.........,.........$.........-.........$...................$........./...&.....$.........0...;.....$.........1...P.....$.........2...e.....$.........3...z.....$.........4.........$.........5.........$.........6.........$.........7.........$.........8.........$.........9.........$.........:.........$.........;...".....$.........<...7.....$.........=...L.....$.........>...a.....$.........?...v.....$.........@.........$.........A.........$.........B.........$.........C.........$.........D.........$.........E.........$.........F.........$.........G.........$.........H...3.....$.........I...H.....$.........J...].....$.........K...r.....$.........L.........$.........M.........$.........N.........$....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-4A53Q.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 960 x 16 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):15404
                                                                                                                                                                                                          Entropy (8bit):1.5604063426004298
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:2Edv8k/k0Y/ss8PbgWRohup5AN2RU0YEjIN1SSEZ2IETubn972Hs8asm5X:Vk0msR0kz63Eq1SSEYIETubikF
                                                                                                                                                                                                          MD5:3336B947AD964644DC59B5D5CA5A208B
                                                                                                                                                                                                          SHA1:600B60DEE5131DD5B8A721680C850A751CDB7B07
                                                                                                                                                                                                          SHA-256:E1D9F7C12F7F4841F7684509D473424B30B6D0E3E57B1944CEF5C1486F06FCEB
                                                                                                                                                                                                          SHA-512:B907B14894EAE3B925A178D51A8D412D3622C0D8964DD49B058425A0BEF2C2C27BA3F7B2A7C9EE382CAE0CA8452A091C8E3C9132CADF73C8F667AC8E587619C3
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................sL....................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-5HAVO.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3428
                                                                                                                                                                                                          Entropy (8bit):3.3571517672450866
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:8RmfoybIG22Ph4hTSIKQEPWKTootr6t9TE:8RaTbIn2Hlst9TE
                                                                                                                                                                                                          MD5:A4233603E807639342DB01DE2331E10A
                                                                                                                                                                                                          SHA1:D98B1BBDDFB339C704BDC21AD4831ED4BD60D0D7
                                                                                                                                                                                                          SHA-256:2F5EB4C4AA628590EA178162325F685438FFA20FFF9B9B20564B472E9ABF4368
                                                                                                                                                                                                          SHA-512:C91F37B58212D87E3D2635E94AD7AC67B72874E666CB4A450838031C9A344CDDA60561D8F07B863BC2022B0798D2BC507D236F3728F76BC7D35C2E293CFAFCAB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......2...d.........Arial......2.(...3.............12PT-ARIAL-300dpi_0.tga..p... ...I.....2.........!...?.....2........."...u.....2.........#.........2.........$.........2.........%.......".2.....'...&...!.....2.........'...5.....2.........(.........2.........).........2.........*.........2.........+.........2.........,...+.....2.........-...N.....2.............:.....2........./...4.....2.........0.........2.........1.........2.........2.........2.........3.........2.........4...l.....2.........5...,.....2.........6.........2.........7...A.....2.........8...V.....2.........9...k.....2.........:...0.....2.........;.........2.........<...*.....2.........=...@.....2.........>...V.....2.........?.........2.........@...Y...).2.....-...A.........2.........B.........2.........C.........2..... ...D...W.....2..... ...E.........2.........F.........2.........G...Q.....2....."...H...X.....2..... ...I...!.....2.........J.........2.........K...<.....2.........L...Q.....2.........M.........2.....%

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-5M3BD.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2204
                                                                                                                                                                                                          Entropy (8bit):2.6894722219470664
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:smpTEqAIA/6DEKboXfJec/r2z2YavdHopX4QbxuRWDppqi55ZKUvOEle/1:smOqAd6DXboX/YalICJWDai558Udo1
                                                                                                                                                                                                          MD5:D6ACE7ED67E83145BF40DAA0CE5D72CE
                                                                                                                                                                                                          SHA1:8B80DD595010F1F29DD7F912F0A6BF3ABEBA58C6
                                                                                                                                                                                                          SHA-256:75F45D4004CE0E7CA709EF91DB190D647F110A419F4470E9453CBE89FC7A4125
                                                                                                                                                                                                          SHA-512:2230EF889C0E41F786F3A1A7678D8C921A3665625B1D1C1B889C54BF09F5EB4889A269B6DFCEF37A338E357B8AB47DCBB7B6D8DC4930D44F29A9C613A7B41C1C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......$.....%.............8PT-OCRA10-300dpi_0.tga..H... .........$.........!.........$........."...*.....$.........#...?.....$.........$...T.....$.........%...i.....$.........&...~.....$.........(.........$.........).........$.........*.........$.........+.........$.........,.........$.........-.........$...................$........./...&.....$.........0...;.....$.........1...P.....$.........2...e.....$.........3...z.....$.........4.........$.........5.........$.........6.........$.........7.........$.........8.........$.........9.........$.........:.........$.........;...".....$.........<...7.....$.........=...L.....$.........>...a.....$.........?...v.....$.........@.........$.........A.........$.........B.........$.........C.........$.........D.........$.........E.........$.........F.........$.........G.........$.........H...3.....$.........I...H.....$.........J...].....$.........K...r.....$.........L.........$.........M.........$.........N.........$.....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-6EUM2.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1300 x 29 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):37744
                                                                                                                                                                                                          Entropy (8bit):0.6986554039535606
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:Uc6eCqZc6T7O8zQpgMS2e7Gqq8fVpiEUUYW6H7DT8SBSQLFfSXDcUqOc7bm3OSQ6:Ue
                                                                                                                                                                                                          MD5:448BE1D3548E5FE0073C767DB56B0320
                                                                                                                                                                                                          SHA1:F94FDCC55AFB8AF3828B7164807A5FB6FD90D726
                                                                                                                                                                                                          SHA-256:7AA4769C2ED69249742A302A180A0798EFEB2615649F4A51CCBE0EBE4337707F
                                                                                                                                                                                                          SHA-512:78513D3F88A6C55D0706DC9767281A1601ADA63234E4165E24D0133CB6837EE5E7E93F085791E098F623FF7C35C5D95A0C790EF0662406E0640A17BDBEA38973
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-6F2I7.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 2250 x 37 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):83294
                                                                                                                                                                                                          Entropy (8bit):1.2332020947298008
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:jErFszwjOEia2gJkZH84KzTJc0Q2CWFgpiAM65EWNo1DN1k9y/hZh:CHf
                                                                                                                                                                                                          MD5:AB64259291B46C739F072868D63F1CB7
                                                                                                                                                                                                          SHA1:1C5ECB6C93D138095970DACC409A43B61653E508
                                                                                                                                                                                                          SHA-256:C7DC605AFACBE893EE6B5996560AA76B8FFF1176602AF20823800BFFD88C255E
                                                                                                                                                                                                          SHA-512:C150F673F87BEAA78CB4D69FF47252F61A947AFB66558F98E6812C87984E014EBE4C8F74FEB2F9F82F3B55A7193D3E60E575D12E7EB8D304D615610CE3182C1F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............%.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-773MD.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 800 x 18 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):14444
                                                                                                                                                                                                          Entropy (8bit):0.6137222239827698
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:JdgqQ8qnPqrRbQ0M6quQaYARkBHI0lqFQQ49IY8oXaWGtbQH3PqZTYvfJ7sU3XU+:IWiALdpYTbAgAFe0DmWTCsi
                                                                                                                                                                                                          MD5:3F33DDDE906CF89745E1D4CE3D2A33FF
                                                                                                                                                                                                          SHA1:B0CBD603069FB94A2D144E809232874635E6E1EF
                                                                                                                                                                                                          SHA-256:916406ED74BA47D18350D7414D14C1182E0C5B987F666B8AB749A87C6E7F832C
                                                                                                                                                                                                          SHA-512:EDA4FC6933BB6D475C3C763C1D1270C42EC52EA91D36E8D70CDB6C9797B13E63867F366F766F291472DB5ACA94C0AD241262BF146AF073D61B25D1B43D45CB64
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............ .... ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-7GTCF.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 600 x 14 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):8444
                                                                                                                                                                                                          Entropy (8bit):0.6450671135015665
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ILzehykPMi4//PtKTy3hTkWhAT902yZWh/O:y
                                                                                                                                                                                                          MD5:2C47EFC4C7C816D6DB3B5849ECAB5300
                                                                                                                                                                                                          SHA1:50DAFE6234A900AD64B58B7A8FA9491B9F426131
                                                                                                                                                                                                          SHA-256:49D412BF9DCFAAF2F32D58F0A3A823E417D25DA7D872379C47F88A341EE8D35C
                                                                                                                                                                                                          SHA-512:06996E1CF8D2013BEEE952E4F36F3EFADEB57318F97B519D4B1BA4ADAED01D6CD3E11E98F470A3AE12DB0456467E99255B5A99694B169A11C8229FF4E13B878F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............X.... ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-8PGFQ.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.7007692729882984
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:Rdmw6zErZXFQk1Dr1u+c11Kt+Gw1SqDmpl0xwx/F3:DzRr0+CQtnWD4axaZ
                                                                                                                                                                                                          MD5:6B30DE40592D0464D320C3ECC9250C40
                                                                                                                                                                                                          SHA1:B6139688C797DC82BC4507397A0102DCC0386CE6
                                                                                                                                                                                                          SHA-256:80D4A90F44E5FFE8D0DD3D06A34C17A6E675FB8B091B2190564DCE08B010E875
                                                                                                                                                                                                          SHA-512:C7C2FC8B72E27A5CE5A4A20E086E4B1EAC2C556A1F88DB9AF87C025E5AF1D363AA91EA70EB67A952B0356307D77D1CB7FAE3922680C022C3671B7AF56A1F1547
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......-.&.................10PT-OCRA10-300dpi_0.tga..H... .........-.........!.........-........."...4.....-.........#...N.....-.........$...h.....-.........%.........-.........&.........-.........(.........-.........).........-.........*.........-.........+.........-.........,.........-.........-...8.....-.............R.....-........./...l.....-.........0.........-.........1.........-.........2.........-.........3.........-.........4.........-.........5.........-.........6...".....-.........7...<.....-.........8...V.....-.........9...p.....-.........:.........-.........;.........-.........<.........-.........=.........-.........>.........-.........?.........-.........@...&.....-.........A...@.....-.........B...Z.....-.........C...t.....-.........D.........-.........E.........-.........F.........-.........G.........-.........H.........-.........I.........-.........J...*.....-.........K...D.....-.........L...^.....-.........M...x.....-.........N.........-....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-9O991.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3057
                                                                                                                                                                                                          Entropy (8bit):3.165463306756613
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:b6nP2JcVr0497J0ottjzyLPNIbD/FfTCzTZ4AHweE02vfMITD8PLk7ZaYDGHjeIj:bbKZN70WQBIbuTlweErT3m
                                                                                                                                                                                                          MD5:F8F1E147439707622834821B52A7B164
                                                                                                                                                                                                          SHA1:E2B73166A96F09B25B48C6F57E6556AD0DD12707
                                                                                                                                                                                                          SHA-256:B0481302FCF9A5D8DF3D354206111231762A0D6EAB074044C02313D6AA51A72F
                                                                                                                                                                                                          SHA-512:EB4B56D0C84164CB8FD1A313E7FCED42AB02440D0B7887F31AB71AC92C466876FD540303C4C49A4E9D55E75E8A2BA5ECAEB9500C626F3F8320E3BE7867CC93A3
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........................8PT-ARIAL-200dpi_0.tga..p... ...................!..................."...c...............#...................$...................%...M...............&...................'...................(...]...............)...................*...................+...................,...................-...i.................................../...A...............0...#...............1...u...............2...-...............3...7...............4...................5...A...............6...K...............7...U...............8..._...............9...i...............:...................;...................<...s...............=...}...............>...................?...................@...(...............A...z...............B...................C...................D...'...............E...................F...................G...................H...{...............I...................J...*...............K...3...............L...................M.................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-9VU26.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1915 x 32 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):61324
                                                                                                                                                                                                          Entropy (8bit):1.2813951377329098
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:W+MWi82ESlvTpH82Tc2B/ArZr2qdg8n1AZ8FBJiu078VMONPWkMdHvwl3hvEyZpa:Brw
                                                                                                                                                                                                          MD5:C42321E8097CB81D66E1C2AB3497B548
                                                                                                                                                                                                          SHA1:B31595FF83938976A73690FE311F0B583E7C3DFE
                                                                                                                                                                                                          SHA-256:6C625686DB0A0F72625940C4E1E8E02B877072F1F9CCB83DACF4E7AF2AD238EF
                                                                                                                                                                                                          SHA-512:59D28002B3B20A612D8DD905B12E7BF3043C3C7D2142BBC4E998A104F3B0A071875B213EC34C17335E142C6830D82B9D47CC31293E5075799B9D24B09F6A441A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............{. .. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-AFGQN.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.4915509542601204
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:3YHHhpxaiB7VYu8KPADiceYuMewDiiJGzGRu86/gDiT5XxHFXpnjZUmxHVX5njJP:3dytOg7pZf7wA
                                                                                                                                                                                                          MD5:599B47BFE00AB3D3B16D11E6899BC66A
                                                                                                                                                                                                          SHA1:1CE20D8640B23C01AD66BD9E27E584DAEED44524
                                                                                                                                                                                                          SHA-256:824EE9ACB3D0C28A1ED3F8EFCE32CC4ABEEEDE2D2947E645D40E649EC5F109A0
                                                                                                                                                                                                          SHA-512:3DA69001537EB8DF9F6C88782C82A7CCD2056FF89DE7610007C9A4C8A181EED126E489585DBF270AD7199667EBA7A096C518CEB82775096D1F568FE4D5882AA9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10..........................10PT-OCRA10-100dpi_0.tga..H... ...................!..................."...................#...................$...$...............%...-...............&...6...............(...?...............)...H...............*...Q...............+...Z...............,...c...............-...l...................u.............../...~...............0...................1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...................=...................>...................?...................@...................A... ...............B...)...............C...2...............D...;...............E...D...............F...M...............G...V...............H..._...............I...h...............J...q...............K...z...............L...................M...................N..............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-AVNF4.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.7558355124785305
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:UOZpUOWNCIrDUo/3KqKRecWjHLTDQA+0x/Oi30UrcKSqX3nPE6a8AllvUQNR6n/X:UOZ2jNfUofbLjkA+O//5c2ahXUA46e
                                                                                                                                                                                                          MD5:60269A9D66B814F9B32A3BA81599CC6E
                                                                                                                                                                                                          SHA1:6A7A74C5E56F1AFFC5AAA312390C849F1FC9BBBD
                                                                                                                                                                                                          SHA-256:47D472E5ACD1612FBAA45A142323C3F497C0A2637D3A5502B8BAA7584548E407
                                                                                                                                                                                                          SHA-512:4B43CDE22E9348F9E7BB1548BCFC7B23DFBDCEC1731BD8E20961D38213616A2D24B748BD27B1EEC601EF0EB50E8413C571D3FAEE37707E822A5F15F16B89650B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......n.\.d.p.............12PT-OCRA10-600dpi_0.tga..H... .......<.n.....<...!...=...<.n.....<..."...z...<.n.....<...#.......<.n.....<...$.......<.n.....<...%...1...<.n.....<...&...n...<.n.....<...(.......<.n.....<...).......<.n.....<...*...%...<.n.....<...+...b...<.n.....<...,.......<.n.....<...-.......<.n.....<...........<.n.....<.../...V...<.n.....<...0.......<.n.....<...1.......<.n.....<...2.......<.n.....<...3...J...<.n.....<...4.......<.n.....<...5.......<.n.....<...6.......<.n.....<...7...>...<.n.....<...8...{...<.n.....<...9.......<.n.....<...:.......<.n.....<...;...2...<.n.....<...<...o...<.n.....<...=.......<.n.....<...>.......<.n.....<...?...&...<.n.....<...@...c...<.n.....<...A.......<.n.....<...B.......<.n.....<...C.......<.n.....<...D...W...<.n.....<...E.......<.n.....<...F.......<.n.....<...G.......<.n.....<...H...K...<.n.....<...I.......<.n.....<...J.......<.n.....<...K.......<.n.....<...L...?...<.n.....<...M...|...<.n.....<...N.......<.n....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-BOE6F.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2897
                                                                                                                                                                                                          Entropy (8bit):2.9695186302821264
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:iAYtWLd35SBFcPssMaGSY2naewHcS73HQog5dKSxWcMPsw1IZNseKqKeWQU3LSkX:i2pYGjgD3HQrKxQOSo
                                                                                                                                                                                                          MD5:E6AD0D02508563AB6B0E71D771E7968B
                                                                                                                                                                                                          SHA1:D7F1997A866F964CB6FBB2C069662D75FE34E2A3
                                                                                                                                                                                                          SHA-256:E0C9680CAF6E60F3C0C1B5352C83F27EFC6E02C653AA098A17CA12A5C495EF31
                                                                                                                                                                                                          SHA-512:01EF36F2A6B8410A414FFC984A06D2742125E3FAAEB7D87592A0468AFD90750D15A376FEDD62DD99C9E3AFFAC11808F2215DA8D66ECF057CFF2240F5A7DAE3E5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........X...............9PT-ARIAL-100dpi_0.tga..p... ...................!..................."...................#...................$...................%...R...............&...*...............'...,...............(...................)...................*...................+...................,...&...............-.......................$.............../...................0...................1...................2...................3...................4...r...............5...................6...................7...S...............8...................9.../...............:...*...............;...(...............<...................=...................>...................?...................@...................A...J...............B...;...............C...G...............D...Y...............E...................F...e...............G...................H...................I...4...............J...j...............K...................L...5...............M...B.............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-BP8GG.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 4400 x 74 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):325644
                                                                                                                                                                                                          Entropy (8bit):0.960508907831785
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:iBoqJ8aicj9+hCwjha/FPIb3SqW7sxHBTjMSRyy6Io86YocRzz3Pxut/OvoG+TgV:52G5jZ
                                                                                                                                                                                                          MD5:31D0F3CA574F7915C243160B737F0EB4
                                                                                                                                                                                                          SHA1:C10D8540C7566A487F340D00A26FE665D5980A2F
                                                                                                                                                                                                          SHA-256:C37897B545868E651A348F73EB3032E1BE7A42B5835C5DA3E0625DAF4476539F
                                                                                                                                                                                                          SHA-512:79712CDA5A3A60E277B2D03F7F64A1A230E2903EC24EEA08EB4A52382F4A4B5200E5D619495CADF895B96EEE69AE53F9B61F8BC3EC53BC5AB703FDC2C60655E5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............0.J.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-CCAKU.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3437
                                                                                                                                                                                                          Entropy (8bit):3.4117486433608275
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:pGBR0vr5orBiU1r4GO/1O0GTqqZfeCXEC5W6O5Rv/ow7xTIVyR8bD9RHGz/N/GF1:pn5K1r4GO/1OnZZ3UIODHoHRmz989Tj
                                                                                                                                                                                                          MD5:217A6D466B5D7859574D6996DFA74E2C
                                                                                                                                                                                                          SHA1:093A48EEE6DEEA8819C9867CF6035E02058FC40F
                                                                                                                                                                                                          SHA-256:D84226F3EA8E9C4FC892840046DB4E5FCFAAB81F9209EAD95EABC9678391AA14
                                                                                                                                                                                                          SHA-512:5F43B97C7D6469F4B7FD73C939F3B0B2405818C47366B8DF44B59EE949FB2EC7E74F89CF888DC914122CDD245B79476BB63BF78AD8E74FC237FF037CBB3C69C5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......C...d.........Arial......C.6...D.............8PT-ARIAL-600dpi_0.tga..p... ...-.....C.........!...'.....C.........".........C.........#.......!.C.....!...$.........C.....!...%.........C.....5...&...-...$.C.....(...'.........C.........(...K.....C.........)...x.....C.........*...v.....C.........+.........C.....#...,.........C.........-.........C...................C........./.........C.........0...V.....C.....!...1...+.....C.....!...2.........C.....!...3.........C.....!...4.........C.....!...5.........C.....!...6...<.....C.....!...7...".....C.....!...8...>.....C.....!...9...Z.....C.....!...:...!.....C.........;.........C.........<...Y.....C.....#...=...v.....C.....#...>.........C.....#...?...v.....C.....!...@.......7.C.....=...A.......).C.....(...B....... .C.....(...C.......%.C.....+...D...R...#.C.....+...E....... .C.....(...F.........C.....%...G...C...(.C...../...H...F...!.C.....+...I.........C.........J...^.....C.........K.......$.C.....(...L.........C.....!...M.......).C.....1.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-CQF3Q.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3057
                                                                                                                                                                                                          Entropy (8bit):3.167983330030016
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:WR2aYI28h7TYUED62bNmOS7L9mpIsnRoFMLkqi55DllP4jydK1zsR8tBDRAP/vc+:WrYUgl+2RmpL9mpIsn+Fd5GzJmHDku5
                                                                                                                                                                                                          MD5:5DC7E9AD26A8FF2759B353B041D308D9
                                                                                                                                                                                                          SHA1:A2E1B1E6B1C1B6B9574D18CA1083C362559155B3
                                                                                                                                                                                                          SHA-256:A94D7F62E0142E1F8865F8242C96820D576023404CEB5F75DC2084E85D511A6C
                                                                                                                                                                                                          SHA-512:1E6B41081C3338E35497CBA1E8EE1AB5E9D8BD7B169194D5A0E58363125777979FE1A60B344E41B59DE18EC3B1348AAB726E6D3870066E5B37C56CA52D3CB796
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........................9PT-ARIAL-200dpi_0.tga..p... ...+...............!..................."...................#...................$...@...............%...................&...I...............'...................(...................)...................*...6...............+...x...............,...................-...v.................................../...R...............0...a...............1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...-...............=...:...............>...G...............?...................@...K...............A...................B...................C...................D...................E...................F...................G...................H...Y...............I...................J...................K...y...............L...T...............M.................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-CS9BK.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 2240 x 37 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):82924
                                                                                                                                                                                                          Entropy (8bit):1.237346860205523
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:/E9FsNw1OEYA2gDmZ58aKz5Jc0q2CW7gpiAq65EkNo7BR1k9y/hZ5:QBT
                                                                                                                                                                                                          MD5:8F1B9B7075BD089C60EB9EA97E3C85BF
                                                                                                                                                                                                          SHA1:9B1173F88E1EDE1873660FAC312A54C4B1ADC78B
                                                                                                                                                                                                          SHA-256:B6EC7076357106F3FF84CC46E7841F2D450D32717F81935CB133FF3AA8C93274
                                                                                                                                                                                                          SHA-512:A481C45DAF03D9BEFC5EE6499AD2BF4D608F77C5DCA91BCD35651204BAD4ACCA4F54CFBABAA7843BF7CC2DF3FB6181A3677E4972F59DDC0A221BAAF5B90E475F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............%.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-E5PG9.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 2800 x 46 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):128844
                                                                                                                                                                                                          Entropy (8bit):1.1197701008615584
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:abbbbbbbbbJvwAgHRTelyDXnNhdktel30XTGT3sfWTpNXNNSsSwZM968ElE8HAhF:a1OrD7C
                                                                                                                                                                                                          MD5:4D6DD8C05CB298560E84845EC3138B78
                                                                                                                                                                                                          SHA1:5E98D7EEDA1BD3DFC98B152B2133D07C3A3A5CFC
                                                                                                                                                                                                          SHA-256:6694B6FD4D487DC6D99FB7347653E961CB836EF83085ACA39F137586E6920930
                                                                                                                                                                                                          SHA-512:6F947E541A45BD50322831CFBEDA3C288DB1CF630A2A3BA48E1F2FEBFD2635211F66A58F42F2D35BFBC68DE94786EB5193F65B78A88C1A2EA2F8167C747A228D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-F4KVK.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 860 x 13 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):11224
                                                                                                                                                                                                          Entropy (8bit):1.7571414506154819
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:eP91vg99WJfpGE4gW7ELjTqaHqHgMfx+/7:eP9pg99WJgE4gW7UjmaHqHgox+/7
                                                                                                                                                                                                          MD5:58E2C4265CF0F94677ADD0D8D397BF38
                                                                                                                                                                                                          SHA1:54B8BB824DF307E60736F23DA9D6737D7B3B7719
                                                                                                                                                                                                          SHA-256:B2E3DE7A50C4F85190C2A192A426DC3D5C204055DF3CCF5B58733F186594A861
                                                                                                                                                                                                          SHA-512:88290F78C207A75E44789449B524FF51E6D3058AD98FAF234F7AEC0814BC6FB2F2D6D8390C9B36793A93A3D0B83319050AA10237D10D292C447F3458DD9B8D11
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............\.... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................J..........................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-F5EVT.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.7552139736822685
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:RZ+N2IUIUhVeQsNjZEI8iIEVlSn0AC8Jiu:RAlDWVe1Ru9iIEV85N
                                                                                                                                                                                                          MD5:D2B46680276BAE154B972C7C15F49564
                                                                                                                                                                                                          SHA1:3DD8FB8C47CB3EB0F8C170E65CD230EC7BB2C108
                                                                                                                                                                                                          SHA-256:93F5FE693CA004A0E06353C40B48FB23E064AD275AF1BB7133D0B27BDFB7A892
                                                                                                                                                                                                          SHA-512:6464F5B40D120288E5ED62DBB4766A10D1C425249A9EBC757DF5C392D7535F2AA6CCE80E69B664FFA56A60466706897FC89BD062E5EE669ECF2AAFC2C149C0E1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......\.M.6.^.............10PT-OCRA10-600dpi_0.tga..H... .......2.\.....2...!...3...2.\.....2..."...f...2.\.....2...#.......2.\.....2...$.......2.\.....2...%.......2.\.....2...&...2...2.\.....2...(...e...2.\.....2...).......2.\.....2...*.......2.\.....2...+.......2.\.....2...,...1...2.\.....2...-...d...2.\.....2...........2.\.....2.../.......2.\.....2...0.......2.\.....2...1...0...2.\.....2...2...c...2.\.....2...3.......2.\.....2...4.......2.\.....2...5.......2.\.....2...6.../...2.\.....2...7...b...2.\.....2...8.......2.\.....2...9.......2.\.....2...:.......2.\.....2...;.......2.\.....2...<...a...2.\.....2...=.......2.\.....2...>.......2.\.....2...?.......2.\.....2...@...-...2.\.....2...A...`...2.\.....2...B.......2.\.....2...C.......2.\.....2...D.......2.\.....2...E...,...2.\.....2...F..._...2.\.....2...G.......2.\.....2...H.......2.\.....2...I.......2.\.....2...J...+...2.\.....2...K...^...2.\.....2...L.......2.\.....2...M.......2.\.....2...N.......2.\....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-GRMK4.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 3320 x 57 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):189284
                                                                                                                                                                                                          Entropy (8bit):1.0677553185239799
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:8885P4818bf8Jv1Z82s8Kfd91rzR9AfTBCBpdHydSKAFDaZK+XDegP8C6bnHdXyV:K4TjVOPv5
                                                                                                                                                                                                          MD5:F2ED6C328CA5008A9B054710EE8E780E
                                                                                                                                                                                                          SHA1:6B8BFBE48AD327C951E9A3B75230825C8215D196
                                                                                                                                                                                                          SHA-256:ED87E8B5D3EE7B12D777799A1B524DCA5C30834E360A9843D22BB47D02DA2909
                                                                                                                                                                                                          SHA-512:26EF29DFC0DA34CA8BD6AA89B07FF6894B97362D883ACD244B4F8063CAAA07ED52340A654B7B35029893AD965D5A2D1057981F5D9517D06DFD16A49EAC7BBC15
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............9.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-HLHL7.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3428
                                                                                                                                                                                                          Entropy (8bit):3.320732685974979
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:yM8g7/eitM/qUhJq7zO3/YVTc85H7URmQdwUjpf1ROYCReUzpkRZEzDofqEp/VTE:L8g7/ei1UcqQ7d74/l9s3oCEp9TE
                                                                                                                                                                                                          MD5:9A01A600058FE761D25D47BD733AD722
                                                                                                                                                                                                          SHA1:DC666706B1B4E12D2B406A4E12903EFB63F8EE0F
                                                                                                                                                                                                          SHA-256:12DF5C9484A623C0204E089BD1B7884297FE53A2CF47D3C3B028A58089689F1A
                                                                                                                                                                                                          SHA-512:A4E3240ADA50FDABD0D80B2707CB4B0F69B6BBB0C7A262CE266BFD95CF39BEDB26535DCF481CB3A10A909F237F7385103C2A45049943D80418FA8E1D67B88B38
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......*...d.........Arial......*.".l.+.............10PT-ARIAL-300dpi_0.tga..p... .........*.........!.........*........."...Y.....*.........#...>.....*.........$.........*.........%.........*.....!...&.........*.........'.........*.........(.........*.........).........*.........*.........*.........+.........*.........,.........*.........-...N.....*...................*........./...7.....*.........0...F.....*.........1...C.....*.........2.........*.........3...".....*.........4.........*.........5.........*.........6.........*.........7...z.....*.........8.........*.........9.........*.........:.........*.........;.........*.........<...T.....*.........=...A.....*.........>.........*.........?.........*.........@...p...".*.....&...A...i.....*.........B.........*.........C.........*.........D...'.....*.........E.........*.........F...g.....*.........G...5.....*.........H.........*.........I.........*.........J.........*.........K.........*.........L...4.....*.........M.........*......

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-IFI1I.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2204
                                                                                                                                                                                                          Entropy (8bit):2.72095553940469
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:NZjJx4I4rYY1/CW6v+0f/ql0ttaoGSGQNP:N74rL1a20f/qsq+5
                                                                                                                                                                                                          MD5:729FCD23C2FFFBAA54A67239BF621772
                                                                                                                                                                                                          SHA1:5952D35F196B0B0F150F7C9C32B9CC4BD4C8DD91
                                                                                                                                                                                                          SHA-256:EAB7278D37D2D8EC571E885EC7599B4C68C1E7BC382C8D5066932A26F1EC5ED5
                                                                                                                                                                                                          SHA-512:8D2D8492EFBCE43DEADA282AF2913A7CD7D092E1E8D415F7E4DE1C5489CC6BD0832553AEB4C146B30396843FEA450DCD4FB8D8E0514135380C66EBD346DE2986
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......I.=.0.J.............8PT-OCRA10-600dpi_0.tga..H... .......(.I.....(...!...)...(.I.....(..."...R...(.I.....(...#...{...(.I.....(...$.......(.I.....(...%.......(.I.....(...&.......(.I.....(...(.......(.I.....(...)...H...(.I.....(...*...q...(.I.....(...+.......(.I.....(...,.......(.I.....(...-.......(.I.....(...........(.I.....(.../...>...(.I.....(...0...g...(.I.....(...1.......(.I.....(...2.......(.I.....(...3.......(.I.....(...4.......(.I.....(...5...4...(.I.....(...6...]...(.I.....(...7.......(.I.....(...8.......(.I.....(...9.......(.I.....(...:.......(.I.....(...;...*...(.I.....(...<...S...(.I.....(...=...|...(.I.....(...>.......(.I.....(...?.......(.I.....(...@.......(.I.....(...A... ...(.I.....(...B...I...(.I.....(...C...r...(.I.....(...D.......(.I.....(...E.......(.I.....(...F.......(.I.....(...G.......(.I.....(...H...?...(.I.....(...I...h...(.I.....(...J.......(.I.....(...K.......(.I.....(...L.......(.I.....(...M.......(.I.....(...N...5...(.I.....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-IG783.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.609183250375046
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:RvOYHagXBgbjzPFhy9gZ5J8yVKAfOKBsaaa4iL:JO/J290J8plKBMaBL
                                                                                                                                                                                                          MD5:A8CF7B2851A757AC3814E6FAF4780EB3
                                                                                                                                                                                                          SHA1:1EBEF432D358A2DBCD3167D2E27BA36C0159A5F5
                                                                                                                                                                                                          SHA-256:ECE5FE93E85A48CE06E637E0B6166429A5EDBB30A59871935DC94AC99BD7EC2A
                                                                                                                                                                                                          SHA-512:0072D5010F2E416095E28912B82EF74A1843D856CB2C0721F84F281F85C2072D380F9C0DAB527EB6E354B290076B91FF90EC45B0E26A7F22774D9D79DD4150F0
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10..........................12PT-OCRA10-100dpi_0.tga..H... ...................!..................."...................#...!...............$...,...............%...7...............&...B...............(...M...............)...X...............*...c...............+...n...............,...y...............-......................................./...................0...................1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...)...............=...4...............>...?...............?...J...............@...U...............A...`...............B...k...............C...v...............D...................E...................F...................G...................H...................I...................J...................K...................L...................M...................N..............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-IJB4T.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1050 x 23 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):24194
                                                                                                                                                                                                          Entropy (8bit):0.7584763606736251
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:Ph8VVLuZd6UiU1XD3868Z8GDbA98K7v7DOD3Z81GY/UU8x/o09Fc3rpDfScJ0LzP:c
                                                                                                                                                                                                          MD5:596BA81E3F315973A9106A739718F3C7
                                                                                                                                                                                                          SHA1:63FF6FB1D84FF576DE5A403A7CF1783C569B554F
                                                                                                                                                                                                          SHA-256:C1CEDD397A7524CA8F2B9C3B7A2649A6FF4282700EABAF07C30A926B12D3AFA8
                                                                                                                                                                                                          SHA-512:D629C436FC780644899BA88F738AA36053808248E24933A1FF2173E0312A7C6F9467D6DE6C8FB9938E29495297E60178FDD72F9D8516BF6440B3552F98B6B54F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-ISIR0.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.7221687066436573
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:lOm3XXtuKnpBWNi2mKel2hB7qL0GCfr3p0gyZmHX:lO2hnWNi2mKel2jqoT3mgyk
                                                                                                                                                                                                          MD5:C0A46405D22947C9ED2E4D297171E733
                                                                                                                                                                                                          SHA1:B152C09FDD435FA0D54626AFA0F256A2C284887A
                                                                                                                                                                                                          SHA-256:F15C3BF0B59545964F70A527245A0531ECBFDC5608790501174BE855C4551EA6
                                                                                                                                                                                                          SHA-512:0F1EE80A0505E16835D8164604BDBDBE7DA981CDD58DA6430A723049397E22ACFED2020D5E4BCC253DEE2F0AE9BEB32F98C03B42781613C9F72B72049E6B141E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10......7.....9.............12PT-OCRA10-300dpi_0.tga..H... .........7.........!.........7........."...>.....7.........#...].....7.........$...|.....7.........%.........7.........&.........7.........(.........7.........).........7.........*.........7.........+...6.....7.........,...U.....7.........-...t.....7...................7........./.........7.........0.........7.........1.........7.........2.........7.........3.........7.........4...M.....7.........5...l.....7.........6.........7.........7.........7.........8.........7.........9.........7.........:.........7.........;...&.....7.........<...E.....7.........=...d.....7.........>.........7.........?.........7.........@.........7.........A.........7.........B.........7.........C.........7.........D...=.....7.........E...\.....7.........F...{.....7.........G.........7.........H.........7.........I.........7.........J.........7.........K.........7.........L...5.....7.........M...T.....7.........N...s.....7....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-K5AA3.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3438
                                                                                                                                                                                                          Entropy (8bit):3.4674787716741147
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:N6fQs3hKMpD012Iyq584NcRiYT1HzW9Tb:NWEMa12Iyk8HL1a9Tb
                                                                                                                                                                                                          MD5:81D8A9F5AE09E140DE8876A7CB3D107B
                                                                                                                                                                                                          SHA1:DB29B25F21F8919D3B03DFDA19FBA44E1CC00D55
                                                                                                                                                                                                          SHA-256:55214ED98A62516873FB67F13A735FDC437652B346F839C7B00C9BDBF1175171
                                                                                                                                                                                                          SHA-512:3E462A8C9C933EC96C7478E8596A83741A7B2F19DCD1CE0E0A75F6EA7DDCDC93A20597BDE26241CBDB4D23053746D9E766C76007169A0F7D19DF50B41D570614
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......d...d.........Arial......d.P.0.e.............12PT-ARIAL-600dpi_0.tga..p... .........d.........!...~.....d.........".........d..... ...#.......1.d.....1...$.......+.d.....1...%...\...D.d.....O...&...o...5.d.....;...'...c.....d.........(.........d.........)...j.....d.........*.........d.....#...+.......*.d.....4...,...H.....d.........-.........d.............Z.....d........./...p.....d.........0.......*.d.....1...1.........d.....1...2.......*.d.....1...3...W...*.d.....1...4.......-.d.....1...5.......*.d.....1...6.......+.d.....1...7...*...*.d.....1...8.......*.d.....1...9.......*.d.....1...:...?.....d.........;...l.....d.........<.......*.d.....4...=.......*.d.....4...>.......*.d.....4...?...U...*.d.....1...@.......R.d.....Z...A.......9.d.....;...B.......0.d.....;...C.......8.d.....@...D.......5.d.....@...E...?.../.d.....;...F...|...+.d.....6...G.......;.d.....E...H...F...2.d.....@...I...Q.....d.........J.......#.d.....-...K.......5.d.....;...L...N...(.d.....1...M.......;.d.....I

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-KG1CJ.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3317
                                                                                                                                                                                                          Entropy (8bit):3.293481194050177
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:o7STbYKtinfXO+tfHJwNFoqOswLC4vLf1ROYeReUzpkRZEzDorpEV:o78bPufXIoqOwMBs3oFEV
                                                                                                                                                                                                          MD5:0D5704585482BFA173C0875C7AEEC9DA
                                                                                                                                                                                                          SHA1:EEFBDCFD3A4487E92E6B7183D826BDFC5AD65AA6
                                                                                                                                                                                                          SHA-256:85CB190080DDE3CDAE7F313D66C0131E7885BD9BC514E6A252E7EAD6A46A37F3
                                                                                                                                                                                                          SHA-512:33E806974B357F7D09338EBE842727ABDD033B2400620BDBE5BED77ABC992833438B0E412A93D04E1C42A4DD5D4BB44ECB2DDB8B20F1674AE9DA3640D49D6409
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......&...d.........Arial......&.....'.............9PT-ARIAL-300dpi_0.tga..p... ...&.....&.........!.........&........."...u.....&.........#.........&.........$.........&.........%.........&.........&.........&.........'...".....&.........(.........&.........).........&.........*...V.....&.........+.........&.........,...*.....&.........-...a.....&.............:.....&........./.........&.........0.........&.........1.........&.........2...u.....&.........3...d.....&.........4.........&.........5...B.....&.........6... .....&.........7...S.....&.........8.........&.........9.........&.........:...F.....&.........;...>.....&.........<.........&.........=.........&.........>.........&.........?...1.....&.........@...c.....&....."...A...k.....&.........B.........&.........C.........&.........D.........&.........E.........&.........F...'.....&.........G.........&.........H...\.....&.........I...J.....&.........J...0.....&.........K.........&.........L...!.....&.........M.........&.......

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-LN197.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 4400 x 101 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):444444
                                                                                                                                                                                                          Entropy (8bit):0.7535575336993283
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:qJSEVMFmKpvHWZpYWEqZc6wxd0KyJk2gdYNw0Flc9VHxFz3Me5G3YH/7V9fiKjkZ:A
                                                                                                                                                                                                          MD5:9DD176CA7752B1F13A048C865659E933
                                                                                                                                                                                                          SHA1:97ACDA409018B1639BAAB24E771A8C1297386745
                                                                                                                                                                                                          SHA-256:A4EC86B68D56F45DC7434F0ACFE39B1402C521DCB81FCC278DBA9FEB13A4CD5F
                                                                                                                                                                                                          SHA-512:CB6D412A7D936034C1F5122587705AEAA8F44D61632646F828179F8FADA976F909A496EEC09BAD4E56EA3CC50391D2D71EA311B9E1FFBAE364782FDA45B4FC97
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............0.e.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-LRFEM.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2204
                                                                                                                                                                                                          Entropy (8bit):2.5077962792151385
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:yYHLOjR3+BX8vDHqJHfC0gGo/W9gv2WHh:yGER3+BX87HqJHfxo/Nuc
                                                                                                                                                                                                          MD5:CD6D2ED5EB50B15CDE613169BD2CD178
                                                                                                                                                                                                          SHA1:AA8A04D9B5D1C8EC0AEB50BBAF643CBCD37011C2
                                                                                                                                                                                                          SHA-256:16BBA19E984462B2AF387446EF0F0037895D28B249AB4674E9E11A0796FCDEEF
                                                                                                                                                                                                          SHA-512:7F7FB9EC566545C29EF39B0EDBFFDD1BA306823ED3FBE1519C96EC5757F5C8F571730CA786A9D514EFC2DE75F27D02B6233C5F9B3DDBE45F8070063AC8F4FF72
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10..........\...............8PT-OCRA10-100dpi_0.tga..H... ...................!..................."...................#...................$... ...............%...(...............&...0...............(...8...............)...@...............*...H...............+...P...............,...X...............-...`...................h.............../...p...............0...x...............1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...................=...................>...................?...................@...................A...................B...................C...................D...................E... ...............F...(...............G...0...............H...8...............I...@...............J...H...............K...P...............L...X...............M...`...............N...h...........

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-LSCIJ.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1170 x 20 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):23444
                                                                                                                                                                                                          Entropy (8bit):1.4802597005585163
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:6b7B9yhYA+416K43wEjpEX6njKfuNMc2QBsiubHLmZl:6b19yhYAX16KIjpEX6njKfuNH2QBJPZl
                                                                                                                                                                                                          MD5:96BA5DEAB93C335E35C0C1DD3C106803
                                                                                                                                                                                                          SHA1:45DDBF6D8A220A75335D8BD4022F83397E924886
                                                                                                                                                                                                          SHA-256:0A2A2CCF1DBE7BFC9C030119A3F4A2CDC1C66EFD0DAC293D6966939F5911D3A0
                                                                                                                                                                                                          SHA-512:84908B303401A5DB6EB6DC78167169A3DF964239057B69FE79D6B3037075D2DBD7B633F6A84A1179D0657D9D50DB15B19EB6C4B902D3403130A95FA833FD70E2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-MGIOT.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1500 x 34 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):51044
                                                                                                                                                                                                          Entropy (8bit):0.7579929130939385
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:FQ8F/SS/4weSS1ZrcAzDtSSzcp3UU9TkBsPWMNFIECxQx0Slzgk91o9MfTHkrugl:A
                                                                                                                                                                                                          MD5:D4AD57A2E3C116086258D646F3F76A0E
                                                                                                                                                                                                          SHA1:047945F7013D661FDB0F3F105F8629646FFFF939
                                                                                                                                                                                                          SHA-256:840C32730278C207C6EC94272F91F49992371FDF418FE10BE687A48CF9821207
                                                                                                                                                                                                          SHA-512:C9E550BD0D3713BA2E1698FD70BBF9033E837AB1AD74171221E1005782CB478174E458254D6971229BBB7858175255FEF2502D41BEC033DB0D0884F26EAC4CB5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............".. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-N59BB.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 3000 x 68 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):204044
                                                                                                                                                                                                          Entropy (8bit):0.7376266164523018
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:08WgJpwq5j90nm4vUMtqr+uf4hZA/1xL3JVU/9YSPUf3oB7SagbZMoYc+76aEaEF:n
                                                                                                                                                                                                          MD5:755E5A511D6118D7463BB0D5BB8AFC08
                                                                                                                                                                                                          SHA1:F5F17137D18C129CB620F72BC37FB041315A78BB
                                                                                                                                                                                                          SHA-256:58CB5ECC3430502B90EF754214B83A0AFDC6C573669FABA37F5DD4286A8C5568
                                                                                                                                                                                                          SHA-512:2ADC972A02293FD8ABD39FDFE56D6B5456E4DDC1EDC3B30A7E000AB5AFF6EB4514A9CA6FAFBECEA2AD9A0597E12FA667BA1D1098270DFB35DA467DEAD3767AC2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............D.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-NH7VB.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 3700 x 84 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):310844
                                                                                                                                                                                                          Entropy (8bit):0.7579367006513039
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:EJzkzUU8B7uAWjuBPSzPLzX65tqQqzmDzT5kdKqUzH59Ki59dWXFuTBTXu6Xi8go:2
                                                                                                                                                                                                          MD5:561DAFEE6861AC2CFCE4BF7B10F7AEEE
                                                                                                                                                                                                          SHA1:E2782C7518C5C714B5AAC822A761C938C29320A9
                                                                                                                                                                                                          SHA-256:EF92590F7A0CDA8CAE626B2E53B937410B8E691AACF5793972D10B8155A8D6B0
                                                                                                                                                                                                          SHA-512:68556365897536C856FE282A098E541E1E6071263C373E26C57598EEECF54384DF576D58C4DF25B030EAF4DE7A622A337B9ED474AF15068C9067427EC6ABFBCE
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............t.T.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-NI3NH.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3317
                                                                                                                                                                                                          Entropy (8bit):3.2823099008263275
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:dQ5cbSBWVg16yHmt53BVeK6FmswO6aPhQURmc/HIcAx+Yulzgaa2fGwvRRX/LQkW:dQ6YFmPB4LI4VRmcgcr3NFl7os4NH
                                                                                                                                                                                                          MD5:CC44D4BBB271241AC3C055DCEB06EFC4
                                                                                                                                                                                                          SHA1:50492722B9FD8B070D2345A320E54209784A469F
                                                                                                                                                                                                          SHA-256:FA9C5A2F691236A3071AC142243C76471133B6866FCAA7E186025AE658D9BB1C
                                                                                                                                                                                                          SHA-512:AF140AE21C4467881BF5195F854FC6810DEF5B065BF9C2B5B5FAD1A045CE14DA39792868B89A23CA3D4C9BCAC4F5599B3F7C6931D4A17AC31472A55FD7CCADB8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......!...d.........Arial......!.....".............8PT-ARIAL-300dpi_0.tga..p... .........!.........!.........!........."...0.....!.........#...l.....!.........$.........!.........%...t.....!.........&.........!.........'.........!.........(.........!.........).........!.........*.........!.........+...Q.....!.........,.........!.........-...K.....!...................!........./.........!.........0.........!.........1.........!.........2.........!.........3.........!.........4.........!.........5...B.....!.........6...$.....!.........7.........!.........8.........!.........9.........!.........:.........!.........;.........!.........<.........!.........=...`.....!.........>.........!.........?.........!.........@...X.....!.........A.........!.........B...9.....!.........C...".....!.........D...r.....!.........E.........!.........F.........!.........G.........!.........H.........!.........I.........!.........J...z.....!.........K.........!.........L.........!.........M.........!.......

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-NTRLH.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2204
                                                                                                                                                                                                          Entropy (8bit):2.6412576017007408
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:pFuSmKfTcxuGjUdaXw5Pm7ctfXKVu5L++egfytSPjWyoon62PfoXtyjchuCMtvo2:pMliTcxuGjUdaXw5e7clXKVUL+hgfyty
                                                                                                                                                                                                          MD5:EFB3EC56ED4184B4F5A16FF794E640D9
                                                                                                                                                                                                          SHA1:80FD816D02F9AF2ACD0A703622C126530B50FC77
                                                                                                                                                                                                          SHA-256:C15971469E26D35EA5259A4D90880DE898D553D7212471433AD83D8F7991DFB9
                                                                                                                                                                                                          SHA-512:FE95A4934B45B52F5B55D4AF9EF3EBD24020F7925BAF060A0A84015D21615C433826838DA29E2DA0F15BA20F9B06C785BAD4776C0A42491C5D3C4900D20871E4
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10..........................8PT-OCRA10-200dpi_0.tga..H... ...................!..................."...................#...*...............$...8...............%...F...............&...T...............(...b...............)...p...............*...~...............+...................,...................-......................................./...................0...................1...................2...................3...................4...................5...................6...&...............7...4...............8...B...............9...P...............:...^...............;...l...............<...z...............=...................>...................?...................@...................A...................B...................C...................D...................E...................F...................G...................H..."...............I...0...............J...>...............K...L...............L...Z...............M...h...............N...v...........

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-NTS99.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1500 x 25 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):37544
                                                                                                                                                                                                          Entropy (8bit):1.4252308764934576
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:5N/BlGZourEoL3B9oLnJPNWo5tDUPoVqbfhAKTFAr7O05/GcFL1SLiPVru7S:LvwoGEorB9ojJPooPDEoVqbfhAKTar7T
                                                                                                                                                                                                          MD5:EFEA5E70F1E59B73489C9DE41D13FC2D
                                                                                                                                                                                                          SHA1:3944C01A59816F2A61CB28148C08592477BC55A4
                                                                                                                                                                                                          SHA-256:5F601A923214F92F592D444CC056FFCF6304C5A11A793655C2C0E0DD9395DC59
                                                                                                                                                                                                          SHA-512:7B853A1F49662489F6ACCFC3835769B1179CA33472B16E3A250C782AD416617878211DF41349AB0C732140C14BDC94EF3F3D287EA37A5465E61E690A18EF271F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-P7QIG.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2205
                                                                                                                                                                                                          Entropy (8bit):2.6794216069105823
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:2FKvU6g3tRtqEXRlz11F2VSg25lkAzV6Ue:2SiRt3heVSg6t8
                                                                                                                                                                                                          MD5:7C989895AEE6A979B7E76167F695A2AC
                                                                                                                                                                                                          SHA1:91640CC0B0B1EAA5F6F8D392B717715E3F9FC106
                                                                                                                                                                                                          SHA-256:EE077A80FAB58065D17AA98EB6A13566EF17892A9F2E8296FE30AC9413C858EA
                                                                                                                                                                                                          SHA-512:8F7D6E0E02FF7026D9266A8EEAB91A6B395CBEB7BE10195F918B602F75BCDD217B0BCB1164ECBD88588B4D79421331D44BE4F53E6B25046DF64967DE89AA882B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........ocra10..........{. .............10PT-OCRA10-200dpi_0.tga..H... ...................!..................."...$...............#...6...............$...H...............%...Z...............&...l...............(...~...............)...................*...................+...................,...................-......................................./...................0...................1... ...............2...2...............3...D...............4...V...............5...h...............6...z...............7...................8...................9...................:...................;...................<...................=...................>...................?...................@...................A...@...............B...R...............C...d...............D...v...............E...................F...................G...................H...................I...................J...................K...................L...................M...................N...*..........

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-QIKE4.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1700 x 39 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):66344
                                                                                                                                                                                                          Entropy (8bit):0.7289775233413816
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:1pdEzskzP6LzhCr0efStz1DOSUbQEqBrzzlSVUSazOhJjcTzVjwY5iSl+wO5tYXk:+
                                                                                                                                                                                                          MD5:95BB6DD10F72E43B0EDE93A9D9102544
                                                                                                                                                                                                          SHA1:BF5C02D93E865F3566CECF2BA3E8DC76EC1AABC1
                                                                                                                                                                                                          SHA-256:8368BF5279F5D354B91A79522BFD5532B96D78F198DDB4938F9FFBC0481DD9B6
                                                                                                                                                                                                          SHA-512:3B9C2967ED2F93DEE8F0F68DFB209D28B0B5F15FDA5615AB6AF11F181B79AEF7D1F9DF9A04213467122A5C568E9973051081DE96E36F9CE498AD4FF1E72AC762
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............'.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-QIPCP.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 650 x 15 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):9794
                                                                                                                                                                                                          Entropy (8bit):0.6343491608600029
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:Ph9dberKCLuBOdBdqqn4qOvzgbnq9VpqqdbNYXFsY0DvdRLU+RJP9j6btICChd/O:vfBiV4qOHSXFsTBFYIhunIZ1l6XD7Ys
                                                                                                                                                                                                          MD5:582139D68DBAA4E31199534BD7FA44C0
                                                                                                                                                                                                          SHA1:D42DA4A0CD704795DDCBD79826DA8BC236B0F80F
                                                                                                                                                                                                          SHA-256:9C1A12C67281B0DA3F0FE29ADDB6AA7D13CB542BD105C24D56F94EE634D552C5
                                                                                                                                                                                                          SHA-512:EED7CF81307CA7796109CAD95876C3E999C826C0A3A8F73128AE127A1D1F10F6B2B8D856B79B7380EFB589090F30C52F360839DB7DB5AE14CDD36E8690E6633A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-QLKTH.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3318
                                                                                                                                                                                                          Entropy (8bit):3.2848226447246547
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:dQfcbSBWVg16yHmt53BVeK6FmswO6aPhQURmc/HIcAx+Yulzgaa2fGwvRRX/LQkW:dQUYFmPB4LI4VRmcgcr3NFl7os4NH
                                                                                                                                                                                                          MD5:F06EF7EEADF8171B7EFA2B8BECC12E43
                                                                                                                                                                                                          SHA1:197D75D122AC85D4534B9002988FA040B37A93F7
                                                                                                                                                                                                          SHA-256:5DD1AB93109FA2026BF57F0D4B4154E43B52EBB8193C360CB2D119AC32E1EE5C
                                                                                                                                                                                                          SHA-512:61194E004F796FFAD3E07DBD0FBCCFE1C1E2D25A8C3C57393A823D65EF0F12E0C778589143DBB74E3D9F948AEB098755944A0168BD2BCBE5B4A757C50075723F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......!...d.........Arial......!...@.".............12PT-ARIAL-200dpi_0.tga..p... .........!.........!.........!........."...0.....!.........#...l.....!.........$.........!.........%...t.....!.........&.........!.........'.........!.........(.........!.........).........!.........*.........!.........+...Q.....!.........,.........!.........-...K.....!...................!........./.........!.........0.........!.........1.........!.........2.........!.........3.........!.........4.........!.........5...B.....!.........6...$.....!.........7.........!.........8.........!.........9.........!.........:.........!.........;.........!.........<.........!.........=...`.....!.........>.........!.........?.........!.........@...X.....!.........A.........!.........B...9.....!.........C...".....!.........D...r.....!.........E.........!.........F.........!.........G.........!.........H.........!.........I.........!.........J...z.....!.........K.........!.........L.........!.........M.........!......

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-R0LR0.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3437
                                                                                                                                                                                                          Entropy (8bit):3.4289685103195504
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:sdZ6CG7K2+HMbZg567lzsAQLKL8mympHk8vUGpR3ibD9cH8mFi/GF/VT7n:so7KVHMpsDIFh9TeccmFy89Tj
                                                                                                                                                                                                          MD5:CC1F1CE9C164D61DB51A8966A79D7C47
                                                                                                                                                                                                          SHA1:10BC345D847335A0F6AAF0FFEEE8FED497AB65EC
                                                                                                                                                                                                          SHA-256:FB00488DD96929B89684A894161458F3977513530637647750E047BD9D8DD6B6
                                                                                                                                                                                                          SHA-512:9C5FAEEF43A7882B3ACC7B0E00D181590434D06DEB61CCED5B428AD5DE95A9115EFA9106BA696F5EC8FDA9F610C6EF7726F1B9C74EAD4EDA8A07AE43A2408BAA
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......K...d.........Arial......K.<...L.............9PT-ARIAL-600dpi_0.tga..p... .........K.........!...j.....K........."...).....K.........#.......$.K.....%...$.........K.....%...%.......4.K.....<...&...c...(.K.....-...'...N.....K.........(.........K.........).........K.........*.........K.........+....... .K.....'...,...q.....K.........-.........K...................K........./.........K.........0...X.....K.....%...1.........K.....%...2...x.....K.....%...3.........K.....%...4.......!.K.....%...5.........K.....%...6...U... .K.....%...7.........K.....%...8.........K.....%...9.........K.....%...:...U.....K.........;...x.....K.........<.........K.....'...=...4... .K.....'...>...X.....K.....'...?...x.....K.....%...@.......>.K.....D...A.......-.K.....-...B.......%.K.....-...C.......*.K.....0...D.......(.K.....0...E...b...$.K.....-...F.......!.K.....)...G...Y...-.K.....4...H...T...&.K.....0...I...F.....K.........J.........K....."...K.......(.K.....-...L...4.....K.....%...M...m.../.K.....7.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-REDQH.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2898
                                                                                                                                                                                                          Entropy (8bit):2.9176306580811873
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ctVkl4CkIKELiERngKAuHxKjVkEmBkmPxGcR2Q2kLpH0zzCsyjj29E5dKSxWcMP1:OgY6TPqazKxQOSo
                                                                                                                                                                                                          MD5:A84E3DE53A2A506ED6AF4695BC321B44
                                                                                                                                                                                                          SHA1:BB04B5663FF6179B88C3475C52ECDECB6D771261
                                                                                                                                                                                                          SHA-256:4375DA93B3BD8957CA136A8596C0196F5BBE3E075DB5D83528B44CF4FCA6CDA2
                                                                                                                                                                                                          SHA-512:5B0D0EC02A541E698525A4B4A10802F468A087C6BE983A67D5AE4DE14E817BC9F3DC152FBF68AD89C0F7B74E96A227236361B2B81B9CD41EF567CFCC632AC6D7
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........................10PT-ARIAL-100dpi_0.tga..p... ...................!...I..............."...................#...................$...................%...0...............&...................'...K...............(...!...............)...................*...................+...................,...W...............-.......................O.............../...................0...................1...%...............2...................3...#...............4...)...............5.../...............6...5...............7...;...............8...A...............9...G...............:...S...............;...Q...............<...M...............=...S...............>...Y...............?..._...............@...%...............A...T...............B...................C...................D...................E...e...............F...k...............G...t...............H...................I...U...............J...................K...................L...q...............M...D............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-S4CG8.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 5430 x 94 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):510464
                                                                                                                                                                                                          Entropy (8bit):0.8932362632422378
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:qkLRNFx+n88Y8h8GaC6m18C8aGX8jvXXSiGORuDDBwzIBZuDWHOtSxG4AZktVa4n:HBAS
                                                                                                                                                                                                          MD5:4BBD775E947CD895E2D262515280137E
                                                                                                                                                                                                          SHA1:DF2A41DD56D177539DAD50A426C5D53B67302259
                                                                                                                                                                                                          SHA-256:9D25AA5C67F4FDC7AB6E1925CF46D7B29F55901CA4511EF21C7D7925AA7D5113
                                                                                                                                                                                                          SHA-512:A1B64E8760F273A67B68B0229D0CB0D5982157B33E800C62D29471AB085300025D7BA68A39CE6CB702EE3AF0C645CC233FDEFAE7A085D775CCA59D8AA9A99DB7
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............6.^.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-SFBAH.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3438
                                                                                                                                                                                                          Entropy (8bit):3.422547196106784
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:jr41ZKi9RDkE+0jDwy9mCZZETAp/mFj9Tb:g1ZKiXkE+s4UBE9Tb
                                                                                                                                                                                                          MD5:1A986B2158C204709363480B6D6560FA
                                                                                                                                                                                                          SHA1:C2CFD41442061E813BE2C005C7EB85034635CAA6
                                                                                                                                                                                                          SHA-256:05FA537F603A86F32D2E05F6441459CEC290620DD3E46C3FA6A23E0B1D1A79B5
                                                                                                                                                                                                          SHA-512:2D7845AE3ADB11B239A9D5DC5683C007CBA6D78B8CB16EF761744A55A94E5999826095725D0AD0D5165D9C10889C64BAC25CE6D63EDA0BA704A92D0D1596F000
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF......S...d.........Arial......S.C.t.T.............10PT-ARIAL-600dpi_0.tga..p... .........S.........!.........S.........".........S.........#.......).S.....*...$.......$.S.....*...%...%...:.S.....C...&.......-.S.....2...'.........S.........(.........S.........).........S.........*.........S.........+...)...$.S.....,...,.........S.........-.........S...................S........./...=.....S.........0...s...$.S.....*...1.........S.....*...2.......$.S.....*...3.......$.S.....*...4...F...&.S.....*...5.......$.S.....*...6.......%.S.....*...7.......#.S.....*...8.......#.S.....*...9.......$.S.....*...:.........S.........;.........S.........<.......$.S.....,...=...,...$.S.....,...>...Q...$.S.....,...?...v...$.S.....*...@.......E.S.....L...A.......1.S.....2...B.......(.S.....2...C...`.....S.....6...D.......,.S.....6...E.......(.S.....2...F.......$.S.........G.......1.S.....:...H... ...*.S.....6...I.........S.........J.........S.....&...K.......,.S.....2...L...J...".S.....*...M.......3.S.....=

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-T3GH9.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3058
                                                                                                                                                                                                          Entropy (8bit):3.2411493963960187
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:4gHhsJJyquEu+cFkgQMpldyFzS5lXdlBLJP7EgCTbsyreVjmkqAfiPbLQkWZaYry:qJ+NFWFWbdlB2vWmHDku5
                                                                                                                                                                                                          MD5:642715A3645956918EFB1298057B0917
                                                                                                                                                                                                          SHA1:A8B427066B136D7E3A913A5E1B3ABBB886B7309F
                                                                                                                                                                                                          SHA-256:A2E8A296D428B3F53D975562EA642D4CC628F8F80E067E2290A984ACBAE13E45
                                                                                                                                                                                                          SHA-512:4D033CA007BB67E24ACE5B3AD0DFE3585D6D6CCAB2F1A1EC1718ECCF7FF0B5F0631841AAA4184F7CC4882F3FDD67776C19E07E4EF96DFA6093129B28973843ED
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........................10PT-ARIAL-200dpi_0.tga..p... ...................!..................."...Q...............#...................$...)...............%...e...............&...;...............'...................(...................)...~...............*...0...............+...................,...................-...p.................................../...Y...............0...................1...I...............2...................3...s...............4...f...............5...L...............6...?...............7...................8...Y...............9...................:...................;...................<...................=...................>...................?...................@...M...............A...................B...................C...................D...................E...................F...................G...................H...................I...................J...................K...K...............L...A...............M................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-TC2D8.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3058
                                                                                                                                                                                                          Entropy (8bit):3.1027253854984527
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:canQbjWaPkucVEsbnlG2FKuDbo0Hf4Cb+d4BGEOJVH9ZoVNtqMqlILRIBqP0qwgx:c+DAeb9/AKZ0HdeE3jvm
                                                                                                                                                                                                          MD5:42DC1DE09EE7F212DF2B5152E06B3C0D
                                                                                                                                                                                                          SHA1:6AE54EA71594B88376B63DBA534A060A21AB2DEF
                                                                                                                                                                                                          SHA-256:5069198EC35DEE3520FC18563290680CDEA184FF2650EBE3ACF83A5F7A2E2177
                                                                                                                                                                                                          SHA-512:D8D04A280B81BEA5AE36F63E5912C4797FA7A54ACA5826FC110A44D5117DB8249023A6D4C5E9ADA542CB65A9A0209137E2BF8F813AC2144AB0161F3910CA2AB9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial.......... ...............12PT-ARIAL-100dpi_0.tga..p... ...................!..................."...................#...................$...d...............%...>...............&...................'...................(...................)...................*...................+...|...............,...................-......................................./...................0...................1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...................=...................>...................?...................@.../...............A...................B...&...............C...................D...................E...8...............F...................G...................H...J...............I...................J...................K...................L...................M...x............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-UNCMN.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1425 x 27 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):38519
                                                                                                                                                                                                          Entropy (8bit):1.6436496160004124
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:oSdVTQHsdSUpRU0ykA08D6LHIwsgDihf5TyNvz+/r06Z++cW57v1AQDLU4+kBInN:LSMRp5HRDsTPiNMJ7AJqtY
                                                                                                                                                                                                          MD5:7F93406E4DD1E1D715C2DDD19F4F0D41
                                                                                                                                                                                                          SHA1:8C09D1050C33E17326C10F255EC79E2CA016C80C
                                                                                                                                                                                                          SHA-256:5D6C070816DFC29DECF5A5D622BFD4221131EB9A9DFF0BB61D4A62C9492AA9A2
                                                                                                                                                                                                          SHA-512:FCE537B4EFF7FDDFDBE659F40EEA00F0DF5AFAAAAD9543A4588BF068B8AB7A6CD3C9704A6DBE769DE4A2FE42FE86935CB4186D47E8ED10F1B6B408277CB08897
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-V48VC.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1600 x 34 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):54444
                                                                                                                                                                                                          Entropy (8bit):0.7317128838900055
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:YQ8F/SSj4weSS5ZrcAzDtSS/cp3UU9TkBsPWINFIECxQ10SlzgY91o9MfTHkrugd:b
                                                                                                                                                                                                          MD5:F8B8C71F04F750878115994008E0468B
                                                                                                                                                                                                          SHA1:8FC292C417FF64A15205B16E364DCE089233DE19
                                                                                                                                                                                                          SHA-256:8FA4385180AD2604231CB4D41FF9A77FB8A00DBFC2BA49C034F54751B90B0E89
                                                                                                                                                                                                          SHA-512:E90EC95C6C7D781C261B0FA1AA94A311A4E94BDD3221ED5693F5ACDDF6F222B9FD0FB409F494BD6D6913E31CE8BA3C0E1536B34A2137FC8F4957DE9E17301D36
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............@.".. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-V5HLU.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 2200 x 51 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):112244
                                                                                                                                                                                                          Entropy (8bit):0.7425024616257148
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:Ao3JizJg+bZAMpjjrlBp8Xv7MXpgRvyn8R+JGGgUnCz+9BogLcnS2gZRetoyb9UJ:I
                                                                                                                                                                                                          MD5:4497DB7514559865DEE4B7EE8EAC8AD6
                                                                                                                                                                                                          SHA1:DCED448067258678090D72FBB0119DCBE0B3674C
                                                                                                                                                                                                          SHA-256:B270502CD0B6B4E03BD2580235D442122397C6BA82C0482E808A71124C640766
                                                                                                                                                                                                          SHA-512:748AEAEB118E630DAAEF8B119DCB62040490ECD9665581E7746773C7FB6D599823F555065F359BE420372010C4219493E218AAF76938618761B2C371B4BDF88B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..............3.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-V8LL7.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:Targa image data - Mono 1900 x 43 x 8 - top
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):81744
                                                                                                                                                                                                          Entropy (8bit):0.7047024972799052
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:yBS/R8QqXKt0lqYUYKe08LkRBVqfjVLpcSgSzxCwdfwyydE7py0VtccMuSOK/c+N:T
                                                                                                                                                                                                          MD5:E39CEDF52C5CD02A52CD41A1ED9A6C51
                                                                                                                                                                                                          SHA1:EDBC01524A5893196483B9948B8ACE0D7FAF786E
                                                                                                                                                                                                          SHA-256:8D495B587926EDA8C10C7C18337F655B47B9BA6FAC7CB446A5A28AE9AD683519
                                                                                                                                                                                                          SHA-512:0C6D34D0F1D5151330051EAB5DD2C690A721938E0F324B07C48876E20649618F8043BA42B64B9DBE948C15498B4E1F68A8B5954857B4AEB8DD7DB41DA54B937B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............l.+.. ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\FontBitmaps\is-VSE17.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2877
                                                                                                                                                                                                          Entropy (8bit):2.9014515734713138
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:S/+jVnw89RksLfnm/xLPMOtXdsoS76GQMXz4be8xueaa7OUPa0ULHSALtK56LmSc:SwnX3LfmkstsoS7jQMXz4b9xuedO7rLs
                                                                                                                                                                                                          MD5:29A268AB69DCA005914EC0944A38CD3E
                                                                                                                                                                                                          SHA1:8DA0E84DA7F45B5FEA453D40B53A671718014412
                                                                                                                                                                                                          SHA-256:D2F4A6A16EFB64D6CA543C7B1BBB0EE010C993B8C1B80D5A78BDFBC496799932
                                                                                                                                                                                                          SHA-512:29004D097F0ADADF80A739D48B19FF3ABD5C72BE7B311A61EBA04EB75930806A4318781452758B9C2863E0F8B88A94CC96FAA32C0F4C392878824CEC654B7B15
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:BMF..........d.........Arial..........................8PT-ARIAL-100dpi_0.tga..p... ...:...............!..................."...................#...................$...@...............%...!...............&...F...............'...................(...J...............)...N...............*...................+...d...............,...................-...>.................................../...^...............0...................1...................2...................3...................4...................5...................6...................7...................8...................9...................:...................;...................<...................=...................>...................?...................@...................A...j...............B...j...............C...v...............D...................E...................F...R...............G...................H...................I...................J...................K...................L...................M...R.............

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\.port.log

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):5
                                                                                                                                                                                                          Entropy (8bit):2.321928094887362
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:lmn:Y
                                                                                                                                                                                                          MD5:74BB59D6D08810C47300705CD93F7FF6
                                                                                                                                                                                                          SHA1:693678CBB26BC3D0624A27A8CAAF56BE4159249E
                                                                                                                                                                                                          SHA-256:E60B56706B9242C426A9F6FA818DAC18B65A0E1B997B5181523B49BC03894366
                                                                                                                                                                                                          SHA-512:6878D2DBCFC2D86D6B29BB7F993BD22BF2A4785E6FE19AD4B676CF00E94DE9E8E0B7246C62A56CDD3CB93ADB69B1ABE3985491174A34F6A71BB485270D8E6B1F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:736..

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\CertMgr.Exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):70992
                                                                                                                                                                                                          Entropy (8bit):5.989810876164699
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:0uOUkO0UXRiKvbVAc5xt3lGnmdYw+WXsA9iYzvyq9rHUq:9OUu3KvbVtxt1Gnmdt+WXsox9oq
                                                                                                                                                                                                          MD5:2764C3E30034E9469ADBDBBC99BD98E7
                                                                                                                                                                                                          SHA1:F0014D2FAD0879323DCAFA6086647A21848910EE
                                                                                                                                                                                                          SHA-256:06F43698A703D3EF346C7FEDD8864452C4052EAB924A450CA1CCB12BC7C97049
                                                                                                                                                                                                          SHA-512:DE662E143460D44476AF66FDEB7A65699B06F565FED16F77B3776F3487ACCF76EE72016109549813F2C9F8B0DC061708C900FE3AE37C59DB374C4F33A67AAAFA
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=[.eS..eS..eS......eS......eS......eS..eR..eS......eS...-..eS......eS......eS.Rich.eS.................PE..L... .[J.....................................................................@......C.....@...... ......................................xW..............P....0..........................................@............................................text...f........................... ..`.data....(..........................@....rsrc...xW.......X..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\LICENSE.TXT (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):16260
                                                                                                                                                                                                          Entropy (8bit):4.756487759189681
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:NCr4rCni5BdEHu6VroqId0EesZ/8eMeWp:c0e6vEvfLw9fWp
                                                                                                                                                                                                          MD5:0699CA05F3648A1D38EC1B0493D6716E
                                                                                                                                                                                                          SHA1:1FD90589878EBF967399405193A6BCC8424484FE
                                                                                                                                                                                                          SHA-256:1656F2398978E0C7E06784A5706C49D57E54E073FB656D3728C7BCF97300D3E5
                                                                                                                                                                                                          SHA-512:3E7D568E40BDB1BEBA86F0978600BA033C3DD9C6589490AEC6CF8F10E8F1F461DFB566377036B4DACFC3F7299B8D75B223AB238458E76E27C17A5A9BEBF2E973
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:Embedthis Appweb GPL License Agreement....This software is licensed according to the provisions of GNU GENERAL PUBLIC..LICENSE below. ....Commercial license are also available for those who require them. The..Embedthis Commercial License, allows you to provide commercial software..licenses for products containing Embedthis software. This is for individuals or..organizations that do not want to release their source code as open source /..free software as governed by the GPL license below. For more information on..licensing, please see:....http://embedthis.com/downloads/licensing.html....Some components of the sofware are licensed from third parties. See the end of..this document for a list of licensed third party software.....GNU GENERAL PUBLIC LICENSE, Version 2, June 1991.....Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite..330, Boston, MA 02111-1307 USA....Everyone is permitted to copy and distribute verbatim copies of this license..document, but ch

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\README.TXT (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2739
                                                                                                                                                                                                          Entropy (8bit):4.855747086863456
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:p2KzzQdnd6rIrNIqru6pN47wEbPmh0ThMsgazBCz4t0PiSLbFD/YWJI:p2Kg6rIraqFpwr+h0TWsgaz0Dirn
                                                                                                                                                                                                          MD5:20AB580E399534B15A80596BF368D082
                                                                                                                                                                                                          SHA1:354FA14F13DE311A83395B4552179FE2692D73E4
                                                                                                                                                                                                          SHA-256:168F4FF32F22F24AC210959328322D2C73AFBD245E47BC7060DB68DF6E30C8C8
                                                                                                                                                                                                          SHA-512:A97137121B6B32D0B203E725CE0C850E97959851F94AB1A23818615166144096A2AD723D7EE89F72253B5D2C81271C8C50C19108D95DA661E7EF10AF44F0CC5B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:RdmAppweb....Welcome to the RdmAppweb -- the fastest little web server (from Embedthis..Appweb(TM))....This document contains details regarding the installation procedure for the..binary RdmAppweb package. This package contains pre-built stand-alone web..server and an embeddable HTTP library with headers. ....This software is copyrighted and distributed under license. Please read the..LICENSE.TXT for details.....Table of Contents....* System Requirements..* Installation Package Formats..* Development Environment Platform Support..* Windows Release Details..* Removing RdmAppweb..* Running RdmAppweb..* License and Copyright Information......System Requirements....Operating System Support.... * Windows-7, Windows-8 (x86,x64)....To install RdmAppweb, your system will need at least the following:.... * 10 MB Disk.. * 1 GB RAM....Installation Package Formats....Windows Release Details....To install the Windows Installer image:.... 1. Login with administrator privileges. This is n

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\Rdm.ico (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 64x64, 24 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):12862
                                                                                                                                                                                                          Entropy (8bit):3.6798341854015195
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:q7KYJRfZ2YR6aRvnR0cORkoCqgR728KRPstRCZRk1RfRvRS24hRk8tCR2mRTkvRu:q7KYJRfZ2YR6aRvnR0cORkoCqgR728Ks
                                                                                                                                                                                                          MD5:C100FD2F4F4F10D15C0E6C4AFD22686D
                                                                                                                                                                                                          SHA1:AFE9BFD16D92EBB0CD96DA8054A566172742B2AC
                                                                                                                                                                                                          SHA-256:5585542C636B944637915F5BE13EC515619103150EC49F576D78DAB66F7503AC
                                                                                                                                                                                                          SHA-512:0E8E956933DB858F1CBA087A2A194454D3987FB1E14C033D38666637C36A0223E1BC4FFADE3E1725E7DC8F7F022928B4A66B9828E442E7E7BEA1D3DBA5666FE9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......@@......(2......(...@................0............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\apps\da.conf (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):574
                                                                                                                                                                                                          Entropy (8bit):5.001382113834723
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:DEvHXwD7kDULgQRHKDVkQpz2wP+BFooWzKzAbLN+7gAQvgI:D0YL7RHMVn4wP+QIugI
                                                                                                                                                                                                          MD5:DFD942F01998889C9E180A125247908B
                                                                                                                                                                                                          SHA1:6FA9ADF7F97149977C62F26CDA3AE38B5C309E19
                                                                                                                                                                                                          SHA-256:E3D07372DFFB6AD07192D92270AFEEFAC0B385E535C7CB91B06ADDFFD58CEB85
                                                                                                                                                                                                          SHA-512:DBED2E346D9067C09A2F9CFBD3A03E4348512736DBADC681FC4D6564B419C601A3E22759655D56E5F2D02FE42020AEC1E0F54E40C7308CF336C453A854AC96D1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:LoadModule sslModule libmod_ssl..SSLCertificateFile "RDM.crt"..SSLCertificateKeyFile "RDM.key"....LoadModule espHandler libmod_esp..AddHandler espHandler esp.. ..#load the DA..LoadModule RDMDA RDMDA....<Route ^/SCM/4.0/da.esp$>.. Name DA_service.. EspUpdate off.. AddHandler espHandler.. EspDir cache cache.. EspDir controllers controllers.. Source DA_service.c.. Target run service-DA..</Route>....#remove the LimitWorkers line once we upgrade to latest Appweb..LimitWorkers 1..LimitRequestBody 12072K..LimitRequestForm 12072K..LimitMemory 250MB....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\apps\is-R7IOH.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):506
                                                                                                                                                                                                          Entropy (8bit):5.055354111443157
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:DEvHXwD7kDULgQ53JVXnO70NMQMo2wP+B3ooW9TxvgI:D0YL7Rn9/MTwP+NYJgI
                                                                                                                                                                                                          MD5:06FCF1DD45FC575B8B3A633F5F851EBA
                                                                                                                                                                                                          SHA1:0BE8E294261D4AA7EAFB7DC5EBDDFB1EA94104B1
                                                                                                                                                                                                          SHA-256:9FD1AF29D5DA6AF334933F466948F4BAA3FC11FFA79839D41947E59F217E07F5
                                                                                                                                                                                                          SHA-512:6C3F9C805047DA4F70A4AD1ED3C52CC68B79C1267C8D7B3A7295D7364940803178A042A3350F601D1643FFA4FEFE2F52275CE21C60FEC4F5D336E5D398D88DA1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:LoadModule sslModule libmod_ssl..SSLCertificateFile "RDM.crt"..SSLCertificateKeyFile "RDM.key"....LoadModule espHandler libmod_esp..AddHandler espHandler esp....# load SAPI..LoadModule RDMSAPI RDMSAPIDLL.. ..<Route ^/SCM/4.0/scm.esp$>.. Name SCM_service.. EspUpdate off.. AddHandler espHandler.. EspDir cache cache.. EspDir controllers controllers.. Source SCM_service.c.. Target run service-SCM..</Route>......LimitRequestBody 12072K..LimitRequestForm 12072K..LimitMemory 250MB....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\apps\is-VNGB4.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):574
                                                                                                                                                                                                          Entropy (8bit):5.001382113834723
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:DEvHXwD7kDULgQRHKDVkQpz2wP+BFooWzKzAbLN+7gAQvgI:D0YL7RHMVn4wP+QIugI
                                                                                                                                                                                                          MD5:DFD942F01998889C9E180A125247908B
                                                                                                                                                                                                          SHA1:6FA9ADF7F97149977C62F26CDA3AE38B5C309E19
                                                                                                                                                                                                          SHA-256:E3D07372DFFB6AD07192D92270AFEEFAC0B385E535C7CB91B06ADDFFD58CEB85
                                                                                                                                                                                                          SHA-512:DBED2E346D9067C09A2F9CFBD3A03E4348512736DBADC681FC4D6564B419C601A3E22759655D56E5F2D02FE42020AEC1E0F54E40C7308CF336C453A854AC96D1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:LoadModule sslModule libmod_ssl..SSLCertificateFile "RDM.crt"..SSLCertificateKeyFile "RDM.key"....LoadModule espHandler libmod_esp..AddHandler espHandler esp.. ..#load the DA..LoadModule RDMDA RDMDA....<Route ^/SCM/4.0/da.esp$>.. Name DA_service.. EspUpdate off.. AddHandler espHandler.. EspDir cache cache.. EspDir controllers controllers.. Source DA_service.c.. Target run service-DA..</Route>....#remove the LimitWorkers line once we upgrade to latest Appweb..LimitWorkers 1..LimitRequestBody 12072K..LimitRequestForm 12072K..LimitMemory 250MB....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\apps\scm.conf (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):506
                                                                                                                                                                                                          Entropy (8bit):5.055354111443157
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:DEvHXwD7kDULgQ53JVXnO70NMQMo2wP+B3ooW9TxvgI:D0YL7Rn9/MTwP+NYJgI
                                                                                                                                                                                                          MD5:06FCF1DD45FC575B8B3A633F5F851EBA
                                                                                                                                                                                                          SHA1:0BE8E294261D4AA7EAFB7DC5EBDDFB1EA94104B1
                                                                                                                                                                                                          SHA-256:9FD1AF29D5DA6AF334933F466948F4BAA3FC11FFA79839D41947E59F217E07F5
                                                                                                                                                                                                          SHA-512:6C3F9C805047DA4F70A4AD1ED3C52CC68B79C1267C8D7B3A7295D7364940803178A042A3350F601D1643FFA4FEFE2F52275CE21C60FEC4F5D336E5D398D88DA1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:LoadModule sslModule libmod_ssl..SSLCertificateFile "RDM.crt"..SSLCertificateKeyFile "RDM.key"....LoadModule espHandler libmod_esp..AddHandler espHandler esp....# load SAPI..LoadModule RDMSAPI RDMSAPIDLL.. ..<Route ^/SCM/4.0/scm.esp$>.. Name SCM_service.. EspUpdate off.. AddHandler espHandler.. EspDir cache cache.. EspDir controllers controllers.. Source SCM_service.c.. Target run service-SCM..</Route>......LimitRequestBody 12072K..LimitRequestForm 12072K..LimitMemory 250MB....

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\appweb.conf (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2030
                                                                                                                                                                                                          Entropy (8bit):4.942123442929845
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:qXhKrzTbpV+JAcrPXGnEiCnvIIewNrfou/1:GhKrz5oSnE/h7Nrfdt
                                                                                                                                                                                                          MD5:5D84902B4958057D539FE5D59C09CC62
                                                                                                                                                                                                          SHA1:C6C93EA2F373D2C2229A89D0F10892C783828911
                                                                                                                                                                                                          SHA-256:2F5640B2D15D8422FD490DAE180F4882C3443C37FF0821D1905395F87338CB48
                                                                                                                                                                                                          SHA-512:A3407E48FC9043E554414DC31A1ED23D42E6F72C3F0623B72E09BA0A2C387210D3F289BABE5949249E72364BBF4E63E897348EC4C2ECD546536B8DD334B02A39
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:#..# appweb.conf -- Default Configuration for the RDM Appweb HTTP Server..# ....# The order of configuration directives matters as this file is parsed only ..# once. This is a minimal configuration. ....#..# The install.config specifies: Documents, Listen and ListenSecure..#..include install.conf....#..# Define the logging configuration first so errors are logged. This is for..# errors and debug trace for the whole server including virtual hosts. Add ..# a timestamp every 1 hour. This is overridden by appweb command line args...#..ErrorLog "error.log" size=10MB level=2 backup=5 append anew stamp=1hr....#..# The user and group account to run as. The fake name APPWEB will change..# user/group to the Appweb default user/group if running as root/adminstrator...# This is www on MAC, nobody/nogroup on Linux, and administrator on Windows. ..# NOTE: ESP require write access to the cache directory. if you wish ..# to backup log files, you must have write permission to

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):16896
                                                                                                                                                                                                          Entropy (8bit):5.9801987745437435
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:JB5KkbCUXI+YJavGsJu9hG+ENGS72dOaASl/eAlHByw41v3m:JB5hi+Y0vGsJu9hG+ENGS72dO9SlGAlg
                                                                                                                                                                                                          MD5:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                                          SHA1:AD8C499F471570B8D0180C31EFC0F1E81D6F67F0
                                                                                                                                                                                                          SHA-256:4961C91C6CB15EED0190FC0AFF734AB2321E15A52A08FB2A30D46BB121C62317
                                                                                                                                                                                                          SHA-512:265DAE9076F81DA8560B0160F550E3FD7585185295090B2C0D242464178F43B10A4B561FA8739D73E8669A436D512D561254D35C7B0E4B08425977FF98198EFB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&B5.G,f.G,f.G,f.1.f.G,f.1.f.G,f.1.f.G,fm..f.G,f.G-f.G,f.1.f.G,f.1.f.G,fRich.G,f................PE..L.....[................."...........+.......@....@.......................................@..................................J..x............................p.......................................I..@............@...............................text...0!.......".................. ..`.rdata.......@.......&..............@..@.data........`.......:..............@....reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):12288
                                                                                                                                                                                                          Entropy (8bit):5.638218753760879
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:T1xbmFYsX4rMacMUW4E5dvkWaDkH43SzrweIGSkUCkLjgA:T1dm2sXQMacA7jv0SHweIGSk/
                                                                                                                                                                                                          MD5:BA232235CDE212CF4900B84C7BF1CC0E
                                                                                                                                                                                                          SHA1:71503AD422FD687B98AB1AA4324ED3555E50EB48
                                                                                                                                                                                                          SHA-256:EF4EA693303901FFDBBA080778B10371B17F2A3E764086E8FB97471F0CA0F511
                                                                                                                                                                                                          SHA-512:FF7FDF9193B22BDCE7167AFF31968C57EE779C4481C1CC1E39BE48127C53CA0425EC044F73F44F92C5597396D76C34B5061A38B6DCF9785B8B91D8BD69AB4259
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Z..Z..Z...,..Z...,..Z...,..Z..K...Z..Z~..Z...,..Z...,..Z...,..Z..Rich.Z..........................PE..L.....[.....................................0....@..........................`............@.........................p?..E...t7...............................P..L....................................6..@............0..|............................text...r........................... ..`.rdata.......0......................@..@.data........@.......*..............@....reloc.......P.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMSAPIDLL.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1857096
                                                                                                                                                                                                          Entropy (8bit):7.0430565395846845
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:7C/J/oAVGOcpRsg1BhqQDkXiT8uscKu6GaXUT4IBAUZLYRAk:p1DFDVJBAUZL4
                                                                                                                                                                                                          MD5:E0A73F6A1CBDEA0924DF4A5549DFB34B
                                                                                                                                                                                                          SHA1:6F416B61BBB80A89416CC7A7FF08AFAD8D9223A7
                                                                                                                                                                                                          SHA-256:96869A44E68F50084A9547DF337CC3717DCDECEFF6782280630E13B4E8F071D7
                                                                                                                                                                                                          SHA-512:0EBF46978E82D157B7AC962C9BF46FF4954D9DD9A3157DC4EC7F6547EE126C3E3F10E546814AE3EE6471501FFC88377A4A12CF9D58F715EB96D1EE876C080A6A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......G.F...(B..(B..(B..wB%.(Bl..B..(B...B..(Bl..B..(Bl..B..(Bl..B..(B.T.B..(B...B..(B...B..(B..)B..(Bl..B4.(Bl..B..(Bl..B..(Bl..B..(BRich..(B........................PE..L...m..`...........!.........B............................................... ......h.....@..........................<......T........p..D............0..H&..................................D$.......#..@...............x............................text...U........................... ..`.rdata...<.......>..................@..@.data........@...b...,..............@....tls.........`......................@....rsrc...D....p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1647616
                                                                                                                                                                                                          Entropy (8bit):7.088070986211455
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24576:ySJnwTP/jsmQQRCQ2HszYJT/Cf2VfWlcKu6Gavkg3NydIbbbI4IBAUZLYMj0:ySJ9mo9JTSuscKu6GaXUT4IBAUZLYM
                                                                                                                                                                                                          MD5:EAD0DDE5A722ACC8ADEA0C2263564F4D
                                                                                                                                                                                                          SHA1:FC177E716E4870DE24106A6A1DFB971644D45244
                                                                                                                                                                                                          SHA-256:807D582249379B09E6781BB974CD1FF94706632037C4657C9F8E85F16ACEBF16
                                                                                                                                                                                                          SHA-512:EFDADE19E7FE02320539B2914E01CFAE2663079CEE45E8682FCB2CD7ED4429195CD719B6F48668D9F2829C0C6EFF4962A40F64BA7361497518FAD7D6357DA296
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ YA.A7..A7..A7.....A7.O....A7.....A7..7...A7..7...A7..9...A7..Mh..A7.....A7..9...A7..A6..@7.....A7.....A7..7...A7..7...A7..7...A7.Rich.A7.........PE..L......Y...........!.................J...................................................@.........................`L.......-.......p.............................0...............................@...@...............,............................text...\........................... ..`.rdata..............................@..@.data........P...Z...>..............@....tls.........`......................@....rsrc........p... ..................@..@.reloc...i.......j..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDa.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1945512
                                                                                                                                                                                                          Entropy (8bit):7.003194762767952
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:4gEzzioVnwD+qp+hNQUWZWkMnRqT3uscKu6GaXUT4IBAUZLYto:uZyLErn1JBAUZLN
                                                                                                                                                                                                          MD5:2C46013BF4D8D9285BFB8BAA35796B70
                                                                                                                                                                                                          SHA1:869D07FDBE3EBC456774E30CC93F6B955C764607
                                                                                                                                                                                                          SHA-256:E0B2A7B49BAA567B449C34FA0937140B93B038CC955A18C2AF342204AEB53280
                                                                                                                                                                                                          SHA-512:4B8281D570C5E2DCFFCC88121692CBB994F83FE266F3CC4F4CAE20138D4AAB876045D380915E939AD3343A9D2E195822A73FBAF2694453A57F77BD75F2279718
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.i.N.:.N.:.N.:.B.:.N.:.8H:.N.:p.L:.N.:.8J:.N.:.8.:.N.:.8~:.N.:...:.N.:.6W:.N.:.6G:.N.:.N.:.O.:.8{:.N.:.8O:.N.:.8N:.N.:.8I:.N.:Rich.N.:................PE..L...U^.a...........!................C........................................p.......#....@.........................p...................4................+......x.......................................@............................................text.............................. ..`.rdata..7g.......h..................@..@.data....}... ......................@....tls................................@....rsrc...4...........................@..@.reloc.............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmSCMWrap.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1774080
                                                                                                                                                                                                          Entropy (8bit):7.043520941279824
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:AwLmc51zSpkalcTTuscKu6GaXUT4IBAUZLYhij:G2SWaTJBAUZLj
                                                                                                                                                                                                          MD5:C6E45AFB3C783FB2426F57F5E8392160
                                                                                                                                                                                                          SHA1:E3D9AE9092B4675965182D839C4B20CDAF6D67E8
                                                                                                                                                                                                          SHA-256:1C32971CD97D1B524230099A30166A93E28F826498DC5B20DFBFE36BF4107B6C
                                                                                                                                                                                                          SHA-512:C4FE04D3446FACD42018025A54389A8624BD9FBBDE76509D223FAE514B6F829A604F28F0F92BE619A4EA43FD6E4C686C90FFFB31C012922E4FC8F0D008CD755F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.U...;...;...;..j....;......;..j....;.x.....;.x.....;.......;...d.%.;..j....;.......;...:...;..j....;..j....;.x.....;.x.....;.x.....;.Rich..;.........PE..L...]..Y...........!.........*......>S....................................................@......................... .......X........@...8......................@...................................8...@............................................text............................... ..`.rdata..............................@..@.data....0..........................@....tls.........0.......V..............@....rsrc....8...@...:...X..............@..@.reloc..f~..........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\ca.crt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):213049
                                                                                                                                                                                                          Entropy (8bit):5.983977006554565
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:18jMx5y5lXkqDBwTzQNcQpdIJGd9kmsD/kEQMV:iMxkZS4NVsDX9
                                                                                                                                                                                                          MD5:FB9F6A8E00AE22DA2B3C90E680136B9C
                                                                                                                                                                                                          SHA1:CF1D4B95D90758D0009784BF2D25F22987149D3F
                                                                                                                                                                                                          SHA-256:11EEAC7CC607D41336A7254E8E43580B1B3F7D99DFB194F150BD2353960C7D82
                                                                                                                                                                                                          SHA-512:728396C05A72C45648131174B27530CB324A659CE6205BCD4560A0DE929CB4705AC74FBDD51B3580FB5FE32882D7E8113D764469B7F541BF04A6367F97758D4B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:## Downloaded from: http://curl.haxx.se/docs/caextract.html.##.## ca-bundle.crt -- Bundle of CA Root Certificates.##.## Certificate data from Mozilla as of: Thu Oct 18 19:05:59 2012.##.## This is a bundle of X.509 certificates of public Certificate Authorities.## (CA). These were automatically extracted from Mozilla's root certificates.## file (certdata.txt). This file can be found in the mozilla source tree:.## http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1.##.## It contains the certificates in PEM format and can be used with Appweb via.## the SSLCACertificateFile directive and in http via the --ca switch..##..# @(#) $RCSfile: certdata.txt,v $ $Revision: 1.86 $ $Date: 2012/10/18 16:26:52 $..GTE CyberTrust Global Root.==========================.-----BEGIN CERTIFICATE-----.MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg.Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEG.A1UEAxMaR1RFIEN5YmVyV

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\esp.conf (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (335), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6865
                                                                                                                                                                                                          Entropy (8bit):5.132770146551146
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:FShozmjyCz4iT3NGQ855kJJUMQpTpyJCqu1RBKh/y3VuEqa6lPEXn/NCquuM8L:qOC33qszQpYJfjAIw/Nfwq
                                                                                                                                                                                                          MD5:4FCB126204C2F688E16478713C745C61
                                                                                                                                                                                                          SHA1:B74B1EEE921AEFAEC0970040CC62D745BD4BC632
                                                                                                                                                                                                          SHA-256:C02EEE67B598394155AD477B5DCDDFD49FA5422BDFDC9C218E27A8881841351A
                                                                                                                                                                                                          SHA-512:844FCABAFEAC6A484640FB104691F520281D7CFD6CDBCD29A748192871584EC3C26A58A568E254CE82EE9C63AD81AA670E26A11F424FFBD0729DE5DA74734919
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:#..# esp.conf -- ESP compiler rules..# ..# Commands can be hard coded or they can used tokens of the form ${TOKEN}. The supported tokens are:..# AR - Library archiver command path..# ARCH - Target cpu architecture (arm, mips, ppc, x86)..# ARLIB - Archive library extension including period..# CC - Compiler command path..# CFLAGS - Extra compiler flags..# DEBUG - Compiler debug switches..# GCC_ARCH - Gcc architecture mtune|mcpu setting..# INC - Default include directory path..# LIBPATH - Library search path..# LIBS - Libraries to link with..# LDFLAGS - Extra linker flags..# MOD - Output module filename..# OBJ - Object filename corresponding to SRC..# OS - Target operating system (lower case)..# PLATFORM - Target platform system (os-arch)..#

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\install (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:Bourne-Again shell script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):11377
                                                                                                                                                                                                          Entropy (8bit):4.942076353956956
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:gA7U3ER9LUSmMM6SLIHluhIv6Qor0qd7C/kuNNWB0:N7KE7Lbw6yIHlcIvF/VNNF
                                                                                                                                                                                                          MD5:A86303D1D3E047CFF8F58A52FDA38C94
                                                                                                                                                                                                          SHA1:862469510ACAA4B86D8A75E50524B351A813DD85
                                                                                                                                                                                                          SHA-256:F48776B5F21B2EA7E42D26D6458EDF8BDEEA05A74A2C6624375F5DD630DAB6A7
                                                                                                                                                                                                          SHA-512:79685377C2A2E4B91AB299C7CDC076E01AF251ECEACBB9B385D7BC4B1F4DB9696FB97B09B2B405CE43ADCB1D03A893CDE3DD97C41E270D03DF8B999E1CBA92EA
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:#!/bin/bash..#..# install: Installation script for Appweb..#..# Copyright (c) Embedthis Software LLC, 2003-2014. All Rights Reserved...#..################################################################################....HOME=`pwd`..FMT=..SITE=localhost..PAGE=/index.html....HOSTNAME=`hostname`..COMPANY="embedthis"..PRODUCT="RDMAppweb"..NAME="RDM Appweb"..VERSION="4.6.0.10"..OS="windows"..CPU="x86"..DIST="ms"....ROOT_PREFIX="C:\"..BASE_PREFIX="C:\Program Files"..STATE_PREFIX="C:\Program Files\RDM Appweb"..APP_PREFIX="C:\Program Files\RDM Appweb"..VAPP_PREFIX="C:\Program Files\RDM Appweb"..BIN_PREFIX="C:\Program Files\RDM Appweb\bin"..SBIN_PREFIX="${prefixes.sbin}"..ETC_PREFIX="C:\Program Files\RDM Appweb"..INC_PREFIX="C:\Program Files\RDM Appweb\inc"..LIB_PREFIX="C:\Program Files\RDM Appweb\lib"..MAN_PREFIX="C:\Program Files\RDM Appweb\man"..WEB_PREFIX="C:\Program Files\RDM Appweb\web"..LOG_PREFIX="C:\Program Files\RDM Appweb\log"..SPL_PREFIX="C:\Program Files\RDM Appweb\tmp"..CACH

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-0NOPJ.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):16384
                                                                                                                                                                                                          Entropy (8bit):5.899521239113658
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:EdLoOflKKgDoZ8/LbRm9fwOKbXQGu4HH:tOflKKgDkALbo9IbbXQG1
                                                                                                                                                                                                          MD5:9ADB63236566865516EABD62C8022380
                                                                                                                                                                                                          SHA1:7076E74099E116FEB850C6A0A9BA00A7281D6B7C
                                                                                                                                                                                                          SHA-256:85374DA53306497D8416D890603FF4C82D750B45C858CF8B23A9BCD1BED2B3F7
                                                                                                                                                                                                          SHA-512:C3B62FF949046CA3E26EF80908B79E0AB74ABA4A6F7627B1E97188E70AE97EB20BC6BD9DBA146901C41D214D84A9EB0B6430E0C9A40FECE5FE519A340B021AC9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..J............n.......n.......n.=......M].........|...n.<.....n.......n.......Rich....................PE..L.....[...........!.....$...........+.......@............................................@..........................P..R....E..x............................p.......................................D..@............@...............................text....".......$.................. ..`.rdata.."....@.......(..............@..@.data...X....`.......:..............@....reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-291AF.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):18944
                                                                                                                                                                                                          Entropy (8bit):6.028832391622257
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:wQcCAzEw0V1EWt8/65n+lv84bbbDqg1EoL4WGsHH4:wsw0bEd/60lPbbOg1DR
                                                                                                                                                                                                          MD5:E18A1AD9A5D290C9850A3622FA5D45BD
                                                                                                                                                                                                          SHA1:4E08FB95260291396CC38AD0893EC0435F0D7B86
                                                                                                                                                                                                          SHA-256:ED493B75DC61FC32E68D194C99FC0FA959B65ADA752321A1863BA28FA7C19F00
                                                                                                                                                                                                          SHA-512:1B856DA72D828212FB912285B83E9E541443038D199F962BF65FB2A38306F4352FBED354339D7A1AB524E735F911E417A809C65326EED18AFC3D84379EB56921
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p..R...R...R...=g..Z...=g..P...=g&.P.....F.Q...R...+...=g'._...=g..S...=g..S...RichR...........PE..L.....[...........!.....$...&......?+.......@............................................@..........................X......|Q..x............................p..x....................................P..@............@...............................text....".......$.................. ..`.rdata.......@.......(..............@..@.data........`.......B..............@....reloc.......p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-3OIE9.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):62976
                                                                                                                                                                                                          Entropy (8bit):6.3871862714349135
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:fcx5Wxp7SSeEkPbNj0FT0oxNy/jduwyojfjyxQ5D2zfndSIaBlgB6:fg5kSSrj0oxNy/jkDozjyxQ5D2jn5aB+
                                                                                                                                                                                                          MD5:D7808E34CECB78040C24D5D3E6620F44
                                                                                                                                                                                                          SHA1:7C0049BABB22E2B3C1ABFEEE9500455469E10E25
                                                                                                                                                                                                          SHA-256:675D920F83B1332E2456284FBAD045AC7FC04FCAF21F1FBE2E9071A9EB98F8FB
                                                                                                                                                                                                          SHA-512:102E8C638B46BE802F48E10DF728057F2D262BDF48701A71C29850ED283ED0BA21BFFF91B3130DF3FB45A16758E6E43B302D1BCC93E9B04E364ECAB9AB42AB1D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.~"..~"..~"......~"......~"......~".{..~"..~#..."......~"......~"......~".Rich.~".........PE..L.....[...........!.........V......X........................................ ............@.............................v.......d...............................<...................................X...@............................................text...l........................... ..`.rdata...D.......F..................@..@.data...p...........................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-57V4T.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:Bourne-Again shell script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):11377
                                                                                                                                                                                                          Entropy (8bit):4.942076353956956
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:gA7U3ER9LUSmMM6SLIHluhIv6Qor0qd7C/kuNNWB0:N7KE7Lbw6yIHlcIvF/VNNF
                                                                                                                                                                                                          MD5:A86303D1D3E047CFF8F58A52FDA38C94
                                                                                                                                                                                                          SHA1:862469510ACAA4B86D8A75E50524B351A813DD85
                                                                                                                                                                                                          SHA-256:F48776B5F21B2EA7E42D26D6458EDF8BDEEA05A74A2C6624375F5DD630DAB6A7
                                                                                                                                                                                                          SHA-512:79685377C2A2E4B91AB299C7CDC076E01AF251ECEACBB9B385D7BC4B1F4DB9696FB97B09B2B405CE43ADCB1D03A893CDE3DD97C41E270D03DF8B999E1CBA92EA
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:#!/bin/bash..#..# install: Installation script for Appweb..#..# Copyright (c) Embedthis Software LLC, 2003-2014. All Rights Reserved...#..################################################################################....HOME=`pwd`..FMT=..SITE=localhost..PAGE=/index.html....HOSTNAME=`hostname`..COMPANY="embedthis"..PRODUCT="RDMAppweb"..NAME="RDM Appweb"..VERSION="4.6.0.10"..OS="windows"..CPU="x86"..DIST="ms"....ROOT_PREFIX="C:\"..BASE_PREFIX="C:\Program Files"..STATE_PREFIX="C:\Program Files\RDM Appweb"..APP_PREFIX="C:\Program Files\RDM Appweb"..VAPP_PREFIX="C:\Program Files\RDM Appweb"..BIN_PREFIX="C:\Program Files\RDM Appweb\bin"..SBIN_PREFIX="${prefixes.sbin}"..ETC_PREFIX="C:\Program Files\RDM Appweb"..INC_PREFIX="C:\Program Files\RDM Appweb\inc"..LIB_PREFIX="C:\Program Files\RDM Appweb\lib"..MAN_PREFIX="C:\Program Files\RDM Appweb\man"..WEB_PREFIX="C:\Program Files\RDM Appweb\web"..LOG_PREFIX="C:\Program Files\RDM Appweb\log"..SPL_PREFIX="C:\Program Files\RDM Appweb\tmp"..CACH

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-5AMK2.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):9216
                                                                                                                                                                                                          Entropy (8bit):5.432280273703063
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:yabSCrLx6HOI7bdeHFbatuSuzr7iCkLC:nbg+FUuSuH7B
                                                                                                                                                                                                          MD5:2B33B23FD5A45B1ACB401932D259469B
                                                                                                                                                                                                          SHA1:F7A01D0036849BE6AE3381B282CC0C6BA1F5942C
                                                                                                                                                                                                          SHA-256:8C700F40B86A7AC99FF638C8FA42DA8F9CC472C184A39EA8BFD5FAD899F6E9AA
                                                                                                                                                                                                          SHA-512:51BCC01DC1F41D49EA71E41E34855E0753AA3AD1E58F07A9F4EA2CE2AEC2D5C06C93AFAA254921DC2F874DF29497E5F2A3E5F6CA28293B0A2F26079601946422
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6...6...6.......6.......6.......6.93....6...7...6.......6.......6.Rich..6.........PE..L.....[............................c........0....@..........................`............@..................................2..<............................P...................................... 2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....reloc..^....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-AJBU1.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):213049
                                                                                                                                                                                                          Entropy (8bit):5.983977006554565
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:18jMx5y5lXkqDBwTzQNcQpdIJGd9kmsD/kEQMV:iMxkZS4NVsDX9
                                                                                                                                                                                                          MD5:FB9F6A8E00AE22DA2B3C90E680136B9C
                                                                                                                                                                                                          SHA1:CF1D4B95D90758D0009784BF2D25F22987149D3F
                                                                                                                                                                                                          SHA-256:11EEAC7CC607D41336A7254E8E43580B1B3F7D99DFB194F150BD2353960C7D82
                                                                                                                                                                                                          SHA-512:728396C05A72C45648131174B27530CB324A659CE6205BCD4560A0DE929CB4705AC74FBDD51B3580FB5FE32882D7E8113D764469B7F541BF04A6367F97758D4B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:## Downloaded from: http://curl.haxx.se/docs/caextract.html.##.## ca-bundle.crt -- Bundle of CA Root Certificates.##.## Certificate data from Mozilla as of: Thu Oct 18 19:05:59 2012.##.## This is a bundle of X.509 certificates of public Certificate Authorities.## (CA). These were automatically extracted from Mozilla's root certificates.## file (certdata.txt). This file can be found in the mozilla source tree:.## http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1.##.## It contains the certificates in PEM format and can be used with Appweb via.## the SSLCACertificateFile directive and in http via the --ca switch..##..# @(#) $RCSfile: certdata.txt,v $ $Revision: 1.86 $ $Date: 2012/10/18 16:26:52 $..GTE CyberTrust Global Root.==========================.-----BEGIN CERTIFICATE-----.MIICWjCCAcMCAgGlMA0GCSqGSIb3DQEBBAUAMHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg.Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEG.A1UEAxMaR1RFIEN5YmVyV

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-B76PT.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1857096
                                                                                                                                                                                                          Entropy (8bit):7.0430565395846845
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:7C/J/oAVGOcpRsg1BhqQDkXiT8uscKu6GaXUT4IBAUZLYRAk:p1DFDVJBAUZL4
                                                                                                                                                                                                          MD5:E0A73F6A1CBDEA0924DF4A5549DFB34B
                                                                                                                                                                                                          SHA1:6F416B61BBB80A89416CC7A7FF08AFAD8D9223A7
                                                                                                                                                                                                          SHA-256:96869A44E68F50084A9547DF337CC3717DCDECEFF6782280630E13B4E8F071D7
                                                                                                                                                                                                          SHA-512:0EBF46978E82D157B7AC962C9BF46FF4954D9DD9A3157DC4EC7F6547EE126C3E3F10E546814AE3EE6471501FFC88377A4A12CF9D58F715EB96D1EE876C080A6A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......G.F...(B..(B..(B..wB%.(Bl..B..(B...B..(Bl..B..(Bl..B..(Bl..B..(B.T.B..(B...B..(B...B..(B..)B..(Bl..B4.(Bl..B..(Bl..B..(Bl..B..(BRich..(B........................PE..L...m..`...........!.........B............................................... ......h.....@..........................<......T........p..D............0..H&..................................D$.......#..@...............x............................text...U........................... ..`.rdata...<.......>..................@..@.data........@...b...,..............@....tls.........`......................@....rsrc...D....p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-BS9SC.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1158144
                                                                                                                                                                                                          Entropy (8bit):6.799583028872836
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24576:EqdexieP3sbOGmBuvzZo/VGxkWSEbJhspoZ8VeRp4rT:EzH8vzqt/WSEbTspoCV+p4rT
                                                                                                                                                                                                          MD5:D09BDE0F13751C84CFEB30B84B3B24EF
                                                                                                                                                                                                          SHA1:C571AF52BE38838E48D094FE5283918F37B376ED
                                                                                                                                                                                                          SHA-256:BBB0EE5FFA4CC340285EDEC8C9B7304B51310EB78301F5E0904B9EED6BB61559
                                                                                                                                                                                                          SHA-512:B12429EF53CA87B6A91D9ED99C37B847373D920B1BFF1AFBBE96C4FA12922A65E77D3E9CADBA8A946753F8CB307CFC68ABF7884EB6E6E3AE86B0203E08FAAFFB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...'Z..'Z..'Z..Z..'Z..Z..'Z..Z..'Z..&Z..'Z..Z..'Z..Z.'Z..Z..'Z..Z..'Z..Z..'ZRich..'Z........................PE..L...Cg1Y...........!.....f...h.......p....................................................@.............................Q...l........P..@....................`.....................................H...@............................................text....e.......f.................. ..`.rdata..a:.......<...j..............@..@.data............^..................@....rsrc...@....P......................@..@.reloc..f....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-C0VMN.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1774080
                                                                                                                                                                                                          Entropy (8bit):7.043520941279824
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:AwLmc51zSpkalcTTuscKu6GaXUT4IBAUZLYhij:G2SWaTJBAUZLj
                                                                                                                                                                                                          MD5:C6E45AFB3C783FB2426F57F5E8392160
                                                                                                                                                                                                          SHA1:E3D9AE9092B4675965182D839C4B20CDAF6D67E8
                                                                                                                                                                                                          SHA-256:1C32971CD97D1B524230099A30166A93E28F826498DC5B20DFBFE36BF4107B6C
                                                                                                                                                                                                          SHA-512:C4FE04D3446FACD42018025A54389A8624BD9FBBDE76509D223FAE514B6F829A604F28F0F92BE619A4EA43FD6E4C686C90FFFB31C012922E4FC8F0D008CD755F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.U...;...;...;..j....;......;..j....;.x.....;.x.....;.......;...d.%.;..j....;.......;...:...;..j....;..j....;.x.....;.x.....;.x.....;.Rich..;.........PE..L...]..Y...........!.........*......>S....................................................@......................... .......X........@...8......................@...................................8...@............................................text............................... ..`.rdata..............................@..@.data....0..........................@....tls.........0.......V..............@....rsrc....8...@...:...X..............@..@.reloc..f~..........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-C9PV1.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):197632
                                                                                                                                                                                                          Entropy (8bit):6.605166882111358
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:l4+4Hlg9IDr8P2vo4dxmpUCwnwcH4a4JR6Og1kQ4IBv+TUp01a1f7lK3d+AZbbhR:ZulgOXdxmmCGnYzg1b4IL71jlK
                                                                                                                                                                                                          MD5:7834B39AE2448802CC49658DA3348692
                                                                                                                                                                                                          SHA1:EBBFD671FC7EA5B336AFA2DB8259D2F439E14792
                                                                                                                                                                                                          SHA-256:A55E1B5504584093C6416CD3C3B508CB83A7CC2AE2BD9B2FD7D6BAD4D09A46A7
                                                                                                                                                                                                          SHA-512:B57D462C220F913FCC4A4BA6AC31870EEEAA8ED425D8D5277BCB8781ACD7D19E6087915B38379C98A980BE89C292F6C29F0B1336E2B54A19AC4CA17CA1FE0DB9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.K.+.%.+.%.+.%.D...-.%.D...-.%.D...).%....(.%.+.$.1.%.D...%.%.D...*.%.D...*.%.Rich+.%.........PE..L.....[...........!.....L...........N.......`...............................0............@.........................P...s7.....d...............................<.......................................@............`..x............................text...bK.......L.................. ..`.rdata......`.......P..............@..@.data...4...........................@....reloc..,...........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-D7KFV.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:current ar archive
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2582
                                                                                                                                                                                                          Entropy (8bit):4.87679160692813
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:c90gLRtp8ZR/vJXKw4zyAOzxGCXKPgmzXKnWT2Lt/:c90eMjKixvKPhKnWT2Lt/
                                                                                                                                                                                                          MD5:5AC67E3750ABF7238047BC2D38C98AAC
                                                                                                                                                                                                          SHA1:143027DE25CFAE78B0855C8444F99FA33822717C
                                                                                                                                                                                                          SHA-256:191FDCCFF02D38EC06F8B170D1C6B7637F19E568DB4C1A75BE6FB86B0F077DDA
                                                                                                                                                                                                          SHA-512:182079DDB664D734DB3D1597D89528AB7B6E367C6C7200FB3F087EB50A2787C02A6983FF41D7E9AD4EE767CB1668719A275B3826091AEAF32CA1332286EB2754
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:!<arch>./ 1542830833 0 332 `........$...V...........8...8...........N...N........__IMPORT_DESCRIPTOR_libmprssl.__NULL_IMPORT_DESCRIPTOR..libmprssl_NULL_THUNK_DATA.__imp__mprCiphers.__imp__mprGetSslCipherName._mprGetSslCipherName.__imp__mprGetSslCipherCode._mprGetSslCipherCode.__imp__mprCreateOpenSslModule._mprCreateOpenSslModule.__imp__mprSslInit._mprSslInit./ 1542830833 0 344 `.....$...V...........8.......N...................................__IMPORT_DESCRIPTOR_libmprssl.__NULL_IMPORT_DESCRIPTOR.__imp__mprCiphers.__imp__mprCreateOpenSslModule.__imp__mprGetSslCipherCode.__imp__mprGetSslCipherName.__imp__mprSslInit._mprCreateOpenSslModule._mprGetSslCipherCode._mprGetSslCipherName._mprSslInit..libmprssl_NULL_THUNK_DATA.libmprssl.dll/ 1542830833 0 501 `.L.....[.............debug$S........C...................@..B.idata$2............................@.0..idata$6............................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-DHMM3.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):16896
                                                                                                                                                                                                          Entropy (8bit):5.9801987745437435
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:JB5KkbCUXI+YJavGsJu9hG+ENGS72dOaASl/eAlHByw41v3m:JB5hi+Y0vGsJu9hG+ENGS72dO9SlGAlg
                                                                                                                                                                                                          MD5:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                                          SHA1:AD8C499F471570B8D0180C31EFC0F1E81D6F67F0
                                                                                                                                                                                                          SHA-256:4961C91C6CB15EED0190FC0AFF734AB2321E15A52A08FB2A30D46BB121C62317
                                                                                                                                                                                                          SHA-512:265DAE9076F81DA8560B0160F550E3FD7585185295090B2C0D242464178F43B10A4B561FA8739D73E8669A436D512D561254D35C7B0E4B08425977FF98198EFB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&B5.G,f.G,f.G,f.1.f.G,f.1.f.G,f.1.f.G,fm..f.G,f.G-f.G,f.1.f.G,f.1.f.G,fRich.G,f................PE..L.....[................."...........+.......@....@.......................................@..................................J..x............................p.......................................I..@............@...............................text...0!.......".................. ..`.rdata.......@.......&..............@..@.data........`.......:..............@....reloc.......p.......<..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-E2KL5.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6144
                                                                                                                                                                                                          Entropy (8bit):4.616056614892387
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:J1zaL+JOWK6kIvpwXvB0qMWJ5x1Y3XYMekSIL3Lo8Dmm:vzo+JOWK3sc5M6M3XYHHIL3NN
                                                                                                                                                                                                          MD5:14BC81E513A7FB6120961D6F44E03777
                                                                                                                                                                                                          SHA1:36E9B282B5B428103C32F87B0C1CE56D590209D5
                                                                                                                                                                                                          SHA-256:E05F61AE4EC2D9EC4B306DAB2E3672FFD139729D0F08EB6F4360F3A7200BBB16
                                                                                                                                                                                                          SHA-512:3E792A98C1CD54BE1A7B6BE2FCE18F38C489DC6039F64D146E7775FDD2E6F8036AE3E004B3BCDCEF197ADABDFAD5184A30E192BC18061005C54E157A022864CF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..x...x...x.......{.......y.....&.z...XF.z...x...f.....'.u.......y.......y...Richx...........PE..L.....[...........!................o........ ...............................P............@..........................$..V...l!..<............................@.. .................................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...`....0......................@....reloc..T....@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-ENH3B.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1945512
                                                                                                                                                                                                          Entropy (8bit):7.003194762767952
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:4gEzzioVnwD+qp+hNQUWZWkMnRqT3uscKu6GaXUT4IBAUZLYto:uZyLErn1JBAUZLN
                                                                                                                                                                                                          MD5:2C46013BF4D8D9285BFB8BAA35796B70
                                                                                                                                                                                                          SHA1:869D07FDBE3EBC456774E30CC93F6B955C764607
                                                                                                                                                                                                          SHA-256:E0B2A7B49BAA567B449C34FA0937140B93B038CC955A18C2AF342204AEB53280
                                                                                                                                                                                                          SHA-512:4B8281D570C5E2DCFFCC88121692CBB994F83FE266F3CC4F4CAE20138D4AAB876045D380915E939AD3343A9D2E195822A73FBAF2694453A57F77BD75F2279718
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.i.N.:.N.:.N.:.B.:.N.:.8H:.N.:p.L:.N.:.8J:.N.:.8.:.N.:.8~:.N.:...:.N.:.6W:.N.:.6G:.N.:.N.:.O.:.8{:.N.:.8O:.N.:.8N:.N.:.8I:.N.:Rich.N.:................PE..L...U^.a...........!................C........................................p.......#....@.........................p...................4................+......x.......................................@............................................text.............................. ..`.rdata..7g.......h..................@..@.data....}... ......................@....tls................................@....rsrc...4...........................@..@.reloc.............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-HU82P.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):90624
                                                                                                                                                                                                          Entropy (8bit):6.27698072245688
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:RCVwsShqzeV5GgLvNtJCB5gFJ8Zl7TzueeHOAG4dNEDtCh6CBE:ROwsSJV5GoLPFiP7TCeeHOp8YtB8E
                                                                                                                                                                                                          MD5:4F054B2C3650E37B9CD1CC39C4EB2E8E
                                                                                                                                                                                                          SHA1:06930BD391261E504596C0F64D44B0C457AA28F4
                                                                                                                                                                                                          SHA-256:1FAA19FB677D694A954004D0C09BD1B16A87263271EA5EC0042992659FA85A1C
                                                                                                                                                                                                          SHA-512:D48561D3B4612D0B8D959FD3759A816CB11128BB6D81253B03DB8BC2FEFC4ACF8CE89F3947E34C8BA3847059274012E07CEB92014DD88A45B05C09F1DDF1DACD
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VO&...H...H...H.}X....H.}X....H.}X....H......H...I.0.H.}X....H.}X....H.}X....H.Rich..H.........PE..L.....[...........!................".....................................................@..........................l......<i..<...................................................................ph..@............................................text............................... ..`.rdata..~}.......~..................@..@.data...x....p.......X..............@....reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-I730K.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):114176
                                                                                                                                                                                                          Entropy (8bit):6.540804087334283
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:/3M4p/hdZNjBEp3DXrWaAhiZCQVUNPbPi+hDJVTMJetNiDvSuG61z:/3M4p/hBBEdawCBNT6+hDJVTKDvi6
                                                                                                                                                                                                          MD5:17AB0F15C0FED482AC60CC027895A5BB
                                                                                                                                                                                                          SHA1:F46F4BF77F09437B364D769AFB73011F9959BE99
                                                                                                                                                                                                          SHA-256:01A869D2268C6B9E5D5E2FD5C8BDEA02701C94D0232E5C1A13D8CACF25B9724B
                                                                                                                                                                                                          SHA-512:0B0A10332DB81DEC44ADA6646CADB907FE3D9B623A50FF729A97F4EE24E90420A9213D4D0F04769FA64D08A4C3DC5DD90F5559570CB8E9946946A0A150F7E02C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......TW...6.Y.6.Y.6.Y.@6Y.6.Y.@4Y.6.Y.@.Y.6.Y..aY.6.Y.6.Y67.Y.@.Y.6.Y.@1Y.6.Y.@7Y.6.YRich.6.Y........................PE..L.....[...........!.................1.......@............................................@.............................o...,}..................................X...................................`|..@............@...............................text..."-.......................... ..`.rdata...t...@...v...2..............@..@.data...............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-K96FQ.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):270848
                                                                                                                                                                                                          Entropy (8bit):6.409278080790753
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:gefvLqSPbFqnJyt8Zwc1VaB4SBjRx7wWhKIhvt6NcJOwz1vBsBbf0INo00bq9Kpk:ge7qSPpqnJytEwc1Vu5BjRxEWhKIhvt0
                                                                                                                                                                                                          MD5:DCDD3041A03ABCBA60BF51D2E1345133
                                                                                                                                                                                                          SHA1:9B81D6C3D7F6D16A73222BCB5ACEC231C46B6F6B
                                                                                                                                                                                                          SHA-256:4BE51BD9D1C4E2EFDF4DA64511352D591748B7E71492FC9E85E901DC37CF03CE
                                                                                                                                                                                                          SHA-512:8BD431EBE6972A24EC6CDE4DAE062A4D545F4DE966C3A442D87E34E7E80D394533D739EFEC0F39EB2C8B9A3BC3B17B1B0B4BE86D877C1A4E7FA877F056C118C3
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r...!...!...!...!...!...!...!..*!...!...!...!...!%..!..+!...!...!...!...!...!...!...!Rich...!........PE..L...Og1Y...........!......................... ...............................`............@.............................p$..L...P.... ..@....................0...#..0&..............................@...@............ ...............................text............................... ..`.rdata..0.... ......................@..@.data....1..........................@....rsrc...@.... ......................@..@.reloc...$...0...&..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-KLGM9.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):770384
                                                                                                                                                                                                          Entropy (8bit):6.908020029901359
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                                                                                                                                          MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                                                                                                                                          SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                                                                                                                                          SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                                                                                                                                          SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-O2649.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (335), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6865
                                                                                                                                                                                                          Entropy (8bit):5.132770146551146
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:FShozmjyCz4iT3NGQ855kJJUMQpTpyJCqu1RBKh/y3VuEqa6lPEXn/NCquuM8L:qOC33qszQpYJfjAIw/Nfwq
                                                                                                                                                                                                          MD5:4FCB126204C2F688E16478713C745C61
                                                                                                                                                                                                          SHA1:B74B1EEE921AEFAEC0970040CC62D745BD4BC632
                                                                                                                                                                                                          SHA-256:C02EEE67B598394155AD477B5DCDDFD49FA5422BDFDC9C218E27A8881841351A
                                                                                                                                                                                                          SHA-512:844FCABAFEAC6A484640FB104691F520281D7CFD6CDBCD29A748192871584EC3C26A58A568E254CE82EE9C63AD81AA670E26A11F424FFBD0729DE5DA74734919
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:#..# esp.conf -- ESP compiler rules..# ..# Commands can be hard coded or they can used tokens of the form ${TOKEN}. The supported tokens are:..# AR - Library archiver command path..# ARCH - Target cpu architecture (arm, mips, ppc, x86)..# ARLIB - Archive library extension including period..# CC - Compiler command path..# CFLAGS - Extra compiler flags..# DEBUG - Compiler debug switches..# GCC_ARCH - Gcc architecture mtune|mcpu setting..# INC - Default include directory path..# LIBPATH - Library search path..# LIBS - Libraries to link with..# LDFLAGS - Extra linker flags..# MOD - Output module filename..# OBJ - Object filename corresponding to SRC..# OS - Target operating system (lower case)..# PLATFORM - Target platform system (os-arch)..#

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-ODEF1.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):9216
                                                                                                                                                                                                          Entropy (8bit):5.423164915401689
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:8STpOu+I1gcIv72DwhRrw4Scw03Xdt4XPzHHIL3lvioD:l1OlUgwwhRrwEwcobHHBoD
                                                                                                                                                                                                          MD5:7FE011C054A8D8621237289B5036671B
                                                                                                                                                                                                          SHA1:9F09B469420E728FCC13C8FFB4B6093271F64EAA
                                                                                                                                                                                                          SHA-256:D0A0A1896D406D6DE3F94EA252795BF1B120A0F205D9A32BFACE5BDE244B1391
                                                                                                                                                                                                          SHA-512:6D7AEAB8C44277D7CC38B298B8F329491F2E81D382491E4E1DDE1532A1412A76B068EEAE90F26345AA52BBAAB22274293F4DFCDF292DEE64D4A0F7835B0F268D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e..J!...!...!...N...(...N... ...N.=.#....m].#...!.......N.<.,...N... ...N... ...Rich!...................PE..L.....[...........!.........................0...............................`............@..........................8..Q...L3..x............................P.......................................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...`....@....... ..............@....reloc.......P......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-P19FD.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):212992
                                                                                                                                                                                                          Entropy (8bit):6.807214175642466
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:d9IX3/AUmgxsd4zAqfUVHv9VruvpEn1bFefUwMC/zAyEqz3Aof7b4x0fhmybO+vb:7IrFY/qeHvTCZKyP7pzb4x0fhmybOs
                                                                                                                                                                                                          MD5:019B7EFBF61D12FC6372D4EAC6DDA58D
                                                                                                                                                                                                          SHA1:060F00308E8E83371E76912FC041A8B66026D44C
                                                                                                                                                                                                          SHA-256:CA22BB9AFB36AF7EAAE9C1DDD06690C7B01BD66BEE4BF8BBEA2F476E2EA7428C
                                                                                                                                                                                                          SHA-512:DF282162A8C40C204557DE6ECC1454AF5DAAAB9684CB654D7C8876CD13B39F24C5E7CBB3E4B18D3DDBBB78C7C6D7CB9E7C0F322C2B24D97BD4796D2945098EE2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(X..l9..l9..l9...O..n9...O..e9...O0.n9...P.e9..l9...9...O1.a9...O..m9...O..m9..Richl9..................PE..L.....[...........!.........................................................`............@..............................D..\...x............................@..........................................@............................................text...D........................... ..`.rdata..............................@..@.data...d....0......................@....reloc.......@......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-PLTOC.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):12288
                                                                                                                                                                                                          Entropy (8bit):5.638218753760879
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:T1xbmFYsX4rMacMUW4E5dvkWaDkH43SzrweIGSkUCkLjgA:T1dm2sXQMacA7jv0SHweIGSk/
                                                                                                                                                                                                          MD5:BA232235CDE212CF4900B84C7BF1CC0E
                                                                                                                                                                                                          SHA1:71503AD422FD687B98AB1AA4324ED3555E50EB48
                                                                                                                                                                                                          SHA-256:EF4EA693303901FFDBBA080778B10371B17F2A3E764086E8FB97471F0CA0F511
                                                                                                                                                                                                          SHA-512:FF7FDF9193B22BDCE7167AFF31968C57EE779C4481C1CC1E39BE48127C53CA0425EC044F73F44F92C5597396D76C34B5061A38B6DCF9785B8B91D8BD69AB4259
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........;...Z..Z..Z...,..Z...,..Z...,..Z..K...Z..Z~..Z...,..Z...,..Z...,..Z..Rich.Z..........................PE..L.....[.....................................0....@..........................`............@.........................p?..E...t7...............................P..L....................................6..@............0..|............................text...r........................... ..`.rdata.......0......................@..@.data........@.......*..............@....reloc.......P.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-UCURD.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1647616
                                                                                                                                                                                                          Entropy (8bit):7.088070986211455
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24576:ySJnwTP/jsmQQRCQ2HszYJT/Cf2VfWlcKu6Gavkg3NydIbbbI4IBAUZLYMj0:ySJ9mo9JTSuscKu6GaXUT4IBAUZLYM
                                                                                                                                                                                                          MD5:EAD0DDE5A722ACC8ADEA0C2263564F4D
                                                                                                                                                                                                          SHA1:FC177E716E4870DE24106A6A1DFB971644D45244
                                                                                                                                                                                                          SHA-256:807D582249379B09E6781BB974CD1FF94706632037C4657C9F8E85F16ACEBF16
                                                                                                                                                                                                          SHA-512:EFDADE19E7FE02320539B2914E01CFAE2663079CEE45E8682FCB2CD7ED4429195CD719B6F48668D9F2829C0C6EFF4962A40F64BA7361497518FAD7D6357DA296
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ YA.A7..A7..A7.....A7.O....A7.....A7..7...A7..7...A7..9...A7..Mh..A7.....A7..9...A7..A6..@7.....A7.....A7..7...A7..7...A7..7...A7.Rich.A7.........PE..L......Y...........!.................J...................................................@.........................`L.......-.......p.............................0...............................@...@...............,............................text...\........................... ..`.rdata..............................@..@.data........P...Z...>..............@....tls.........`......................@....rsrc........p... ..................@..@.reloc...i.......j..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\is-VBVGN.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:Bourne-Again shell script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):8329
                                                                                                                                                                                                          Entropy (8bit):4.990362708041138
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:Mysmv0i6F818NxRBNib8HUjxeUuuIZeMiBWesmeBBQLVGfPzEUHj5v:A+uBmYgHH24Vk7DHN
                                                                                                                                                                                                          MD5:A4C8DF90B93FD01C6ED33137E9BE7ACC
                                                                                                                                                                                                          SHA1:E60A19D55267D0B0284E112FAEC0CECF82D61062
                                                                                                                                                                                                          SHA-256:ECBDEDFCF8D6C88019EC75FC3697BC2D59370042973FE0B5839350D9496B168B
                                                                                                                                                                                                          SHA-512:F2608AF48C3EFAE58FFC45197BB060933C6129F8A8FCE7580002030D2DAD6E822E85B4B27142AD78B78B632F0BBB566889F3E6DE6D8DA04F9329CAA558017756
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:#!/bin/bash..#..#.uninstall: RDM Appweb uninstall script..#..#.Copyright (c) Embedthis Software LLC, 2003-2014. All Rights Reserved...#..#.Usage: uninstall [configFile]..#..################################################################################....HOME=`pwd`..FMT=....PRODUCT="RDMAppweb"..COMPANY="embedthis"..NAME="RDM Appweb"..VERSION="4.6.0.10"..OS="windows"....ROOT_PREFIX="C:\"..BASE_PREFIX="C:\Program Files"..STATE_PREFIX="C:\Program Files\RDM Appweb"..APP_PREFIX="C:\Program Files\RDM Appweb"..VAPP_PREFIX="C:\Program Files\RDM Appweb"....BIN_PREFIX="C:\Program Files\RDM Appweb\bin"..SBIN_PREFIX="${prefixes.sbin}"..ETC_PREFIX="C:\Program Files\RDM Appweb"..INC_PREFIX="C:\Program Files\RDM Appweb\inc"..LIB_PREFIX="C:\Program Files\RDM Appweb\lib"..MAN_PREFIX="C:\Program Files\RDM Appweb\man"..WEB_PREFIX="C:\Program Files\RDM Appweb\web"..LOG_PREFIX="C:\Program Files\RDM Appweb\log"..SPL_PREFIX="C:\Program Files\RDM Appweb\tmp"..CACHE_PREFIX="C:\Program Files\RDM Appweb\cache"

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libappweb.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):62976
                                                                                                                                                                                                          Entropy (8bit):6.3871862714349135
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:fcx5Wxp7SSeEkPbNj0FT0oxNy/jduwyojfjyxQ5D2zfndSIaBlgB6:fg5kSSrj0oxNy/jkDozjyxQ5D2jn5aB+
                                                                                                                                                                                                          MD5:D7808E34CECB78040C24D5D3E6620F44
                                                                                                                                                                                                          SHA1:7C0049BABB22E2B3C1ABFEEE9500455469E10E25
                                                                                                                                                                                                          SHA-256:675D920F83B1332E2456284FBAD045AC7FC04FCAF21F1FBE2E9071A9EB98F8FB
                                                                                                                                                                                                          SHA-512:102E8C638B46BE802F48E10DF728057F2D262BDF48701A71C29850ED283ED0BA21BFFF91B3130DF3FB45A16758E6E43B302D1BCC93E9B04E364ECAB9AB42AB1D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.~"..~"..~"......~"......~"......~".{..~"..~#..."......~"......~"......~".Rich.~".........PE..L.....[...........!.........V......X........................................ ............@.............................v.......d...............................<...................................X...@............................................text...l........................... ..`.rdata...D.......F..................@..@.data...p...........................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libeay32.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1158144
                                                                                                                                                                                                          Entropy (8bit):6.799583028872836
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24576:EqdexieP3sbOGmBuvzZo/VGxkWSEbJhspoZ8VeRp4rT:EzH8vzqt/WSEbTspoCV+p4rT
                                                                                                                                                                                                          MD5:D09BDE0F13751C84CFEB30B84B3B24EF
                                                                                                                                                                                                          SHA1:C571AF52BE38838E48D094FE5283918F37B376ED
                                                                                                                                                                                                          SHA-256:BBB0EE5FFA4CC340285EDEC8C9B7304B51310EB78301F5E0904B9EED6BB61559
                                                                                                                                                                                                          SHA-512:B12429EF53CA87B6A91D9ED99C37B847373D920B1BFF1AFBBE96C4FA12922A65E77D3E9CADBA8A946753F8CB307CFC68ABF7884EB6E6E3AE86B0203E08FAAFFB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I...'Z..'Z..'Z..Z..'Z..Z..'Z..Z..'Z..&Z..'Z..Z..'Z..Z.'Z..Z..'Z..Z..'Z..Z..'ZRich..'Z........................PE..L...Cg1Y...........!.....f...h.......p....................................................@.............................Q...l........P..@....................`.....................................H...@............................................text....e.......f.................. ..`.rdata..a:.......<...j..............@..@.data............^..................@....rsrc...@....P......................@..@.reloc..f....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libhttp.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):197632
                                                                                                                                                                                                          Entropy (8bit):6.605166882111358
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:l4+4Hlg9IDr8P2vo4dxmpUCwnwcH4a4JR6Og1kQ4IBv+TUp01a1f7lK3d+AZbbhR:ZulgOXdxmmCGnYzg1b4IL71jlK
                                                                                                                                                                                                          MD5:7834B39AE2448802CC49658DA3348692
                                                                                                                                                                                                          SHA1:EBBFD671FC7EA5B336AFA2DB8259D2F439E14792
                                                                                                                                                                                                          SHA-256:A55E1B5504584093C6416CD3C3B508CB83A7CC2AE2BD9B2FD7D6BAD4D09A46A7
                                                                                                                                                                                                          SHA-512:B57D462C220F913FCC4A4BA6AC31870EEEAA8ED425D8D5277BCB8781ACD7D19E6087915B38379C98A980BE89C292F6C29F0B1336E2B54A19AC4CA17CA1FE0DB9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.K.+.%.+.%.+.%.D...-.%.D...-.%.D...).%....(.%.+.$.1.%.D...%.%.D...*.%.D...*.%.Rich+.%.........PE..L.....[...........!.....L...........N.......`...............................0............@.........................P...s7.....d...............................<.......................................@............`..x............................text...bK.......L.................. ..`.rdata......`.......P..............@..@.data...4...........................@....reloc..,...........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_cgi.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):16384
                                                                                                                                                                                                          Entropy (8bit):5.899521239113658
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:EdLoOflKKgDoZ8/LbRm9fwOKbXQGu4HH:tOflKKgDkALbo9IbbXQG1
                                                                                                                                                                                                          MD5:9ADB63236566865516EABD62C8022380
                                                                                                                                                                                                          SHA1:7076E74099E116FEB850C6A0A9BA00A7281D6B7C
                                                                                                                                                                                                          SHA-256:85374DA53306497D8416D890603FF4C82D750B45C858CF8B23A9BCD1BED2B3F7
                                                                                                                                                                                                          SHA-512:C3B62FF949046CA3E26EF80908B79E0AB74ABA4A6F7627B1E97188E70AE97EB20BC6BD9DBA146901C41D214D84A9EB0B6430E0C9A40FECE5FE519A340B021AC9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E..J............n.......n.......n.=......M].........|...n.<.....n.......n.......Rich....................PE..L.....[...........!.....$...........+.......@............................................@..........................P..R....E..x............................p.......................................D..@............@...............................text....".......$.................. ..`.rdata.."....@.......(..............@..@.data...X....`.......:..............@....reloc.......p.......<..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_esp.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):114176
                                                                                                                                                                                                          Entropy (8bit):6.540804087334283
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:/3M4p/hdZNjBEp3DXrWaAhiZCQVUNPbPi+hDJVTMJetNiDvSuG61z:/3M4p/hBBEdawCBNT6+hDJVTKDvi6
                                                                                                                                                                                                          MD5:17AB0F15C0FED482AC60CC027895A5BB
                                                                                                                                                                                                          SHA1:F46F4BF77F09437B364D769AFB73011F9959BE99
                                                                                                                                                                                                          SHA-256:01A869D2268C6B9E5D5E2FD5C8BDEA02701C94D0232E5C1A13D8CACF25B9724B
                                                                                                                                                                                                          SHA-512:0B0A10332DB81DEC44ADA6646CADB907FE3D9B623A50FF729A97F4EE24E90420A9213D4D0F04769FA64D08A4C3DC5DD90F5559570CB8E9946946A0A150F7E02C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......TW...6.Y.6.Y.6.Y.@6Y.6.Y.@4Y.6.Y.@.Y.6.Y..aY.6.Y.6.Y67.Y.@.Y.6.Y.@1Y.6.Y.@7Y.6.YRich.6.Y........................PE..L.....[...........!.................1.......@............................................@.............................o...,}..................................X...................................`|..@............@...............................text..."-.......................... ..`.rdata...t...@...v...2..............@..@.data...............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmod_ssl.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):9216
                                                                                                                                                                                                          Entropy (8bit):5.423164915401689
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:8STpOu+I1gcIv72DwhRrw4Scw03Xdt4XPzHHIL3lvioD:l1OlUgwwhRrwEwcobHHBoD
                                                                                                                                                                                                          MD5:7FE011C054A8D8621237289B5036671B
                                                                                                                                                                                                          SHA1:9F09B469420E728FCC13C8FFB4B6093271F64EAA
                                                                                                                                                                                                          SHA-256:D0A0A1896D406D6DE3F94EA252795BF1B120A0F205D9A32BFACE5BDE244B1391
                                                                                                                                                                                                          SHA-512:6D7AEAB8C44277D7CC38B298B8F329491F2E81D382491E4E1DDE1532A1412A76B068EEAE90F26345AA52BBAAB22274293F4DFCDF292DEE64D4A0F7835B0F268D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e..J!...!...!...N...(...N... ...N.=.#....m].#...!.......N.<.,...N... ...N... ...Rich!...................PE..L.....[...........!.........................0...............................`............@..........................8..Q...L3..x............................P.......................................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data...`....@....... ..............@....reloc.......P......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmpr.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):212992
                                                                                                                                                                                                          Entropy (8bit):6.807214175642466
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:d9IX3/AUmgxsd4zAqfUVHv9VruvpEn1bFefUwMC/zAyEqz3Aof7b4x0fhmybO+vb:7IrFY/qeHvTCZKyP7pzb4x0fhmybOs
                                                                                                                                                                                                          MD5:019B7EFBF61D12FC6372D4EAC6DDA58D
                                                                                                                                                                                                          SHA1:060F00308E8E83371E76912FC041A8B66026D44C
                                                                                                                                                                                                          SHA-256:CA22BB9AFB36AF7EAAE9C1DDD06690C7B01BD66BEE4BF8BBEA2F476E2EA7428C
                                                                                                                                                                                                          SHA-512:DF282162A8C40C204557DE6ECC1454AF5DAAAB9684CB654D7C8876CD13B39F24C5E7CBB3E4B18D3DDBBB78C7C6D7CB9E7C0F322C2B24D97BD4796D2945098EE2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(X..l9..l9..l9...O..n9...O..e9...O0.n9...P.e9..l9...9...O1.a9...O..m9...O..m9..Richl9..................PE..L.....[...........!.........................................................`............@..............................D..\...x............................@..........................................@............................................text...D........................... ..`.rdata..............................@..@.data...d....0......................@....reloc.......@......."..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmprssl.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):18944
                                                                                                                                                                                                          Entropy (8bit):6.028832391622257
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:wQcCAzEw0V1EWt8/65n+lv84bbbDqg1EoL4WGsHH4:wsw0bEd/60lPbbOg1DR
                                                                                                                                                                                                          MD5:E18A1AD9A5D290C9850A3622FA5D45BD
                                                                                                                                                                                                          SHA1:4E08FB95260291396CC38AD0893EC0435F0D7B86
                                                                                                                                                                                                          SHA-256:ED493B75DC61FC32E68D194C99FC0FA959B65ADA752321A1863BA28FA7C19F00
                                                                                                                                                                                                          SHA-512:1B856DA72D828212FB912285B83E9E541443038D199F962BF65FB2A38306F4352FBED354339D7A1AB524E735F911E417A809C65326EED18AFC3D84379EB56921
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p..R...R...R...=g..Z...=g..P...=g&.P.....F.Q...R...+...=g'._...=g..S...=g..S...RichR...........PE..L.....[...........!.....$...&......?+.......@............................................@..........................X......|Q..x............................p..x....................................P..@............@...............................text....".......$.................. ..`.rdata.......@.......(..............@..@.data........`.......B..............@....reloc.......p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libmprssl.lib (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:current ar archive
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2582
                                                                                                                                                                                                          Entropy (8bit):4.87679160692813
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:c90gLRtp8ZR/vJXKw4zyAOzxGCXKPgmzXKnWT2Lt/:c90eMjKixvKPhKnWT2Lt/
                                                                                                                                                                                                          MD5:5AC67E3750ABF7238047BC2D38C98AAC
                                                                                                                                                                                                          SHA1:143027DE25CFAE78B0855C8444F99FA33822717C
                                                                                                                                                                                                          SHA-256:191FDCCFF02D38EC06F8B170D1C6B7637F19E568DB4C1A75BE6FB86B0F077DDA
                                                                                                                                                                                                          SHA-512:182079DDB664D734DB3D1597D89528AB7B6E367C6C7200FB3F087EB50A2787C02A6983FF41D7E9AD4EE767CB1668719A275B3826091AEAF32CA1332286EB2754
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:!<arch>./ 1542830833 0 332 `........$...V...........8...8...........N...N........__IMPORT_DESCRIPTOR_libmprssl.__NULL_IMPORT_DESCRIPTOR..libmprssl_NULL_THUNK_DATA.__imp__mprCiphers.__imp__mprGetSslCipherName._mprGetSslCipherName.__imp__mprGetSslCipherCode._mprGetSslCipherCode.__imp__mprCreateOpenSslModule._mprCreateOpenSslModule.__imp__mprSslInit._mprSslInit./ 1542830833 0 344 `.....$...V...........8.......N...................................__IMPORT_DESCRIPTOR_libmprssl.__NULL_IMPORT_DESCRIPTOR.__imp__mprCiphers.__imp__mprCreateOpenSslModule.__imp__mprGetSslCipherCode.__imp__mprGetSslCipherName.__imp__mprSslInit._mprCreateOpenSslModule._mprGetSslCipherCode._mprGetSslCipherName._mprSslInit..libmprssl_NULL_THUNK_DATA.libmprssl.dll/ 1542830833 0 501 `.L.....[.............debug$S........C...................@..B.idata$2............................@.0..idata$6............................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libpcre.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):90624
                                                                                                                                                                                                          Entropy (8bit):6.27698072245688
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:RCVwsShqzeV5GgLvNtJCB5gFJ8Zl7TzueeHOAG4dNEDtCh6CBE:ROwsSJV5GoLPFiP7TCeeHOp8YtB8E
                                                                                                                                                                                                          MD5:4F054B2C3650E37B9CD1CC39C4EB2E8E
                                                                                                                                                                                                          SHA1:06930BD391261E504596C0F64D44B0C457AA28F4
                                                                                                                                                                                                          SHA-256:1FAA19FB677D694A954004D0C09BD1B16A87263271EA5EC0042992659FA85A1C
                                                                                                                                                                                                          SHA-512:D48561D3B4612D0B8D959FD3759A816CB11128BB6D81253B03DB8BC2FEFC4ACF8CE89F3947E34C8BA3847059274012E07CEB92014DD88A45B05C09F1DDF1DACD
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......VO&...H...H...H.}X....H.}X....H.}X....H......H...I.0.H.}X....H.}X....H.}X....H.Rich..H.........PE..L.....[...........!................".....................................................@..........................l......<i..<...................................................................ph..@............................................text............................... ..`.rdata..~}.......~..................@..@.data...x....p.......X..............@....reloc...............Z..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\libslink.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6144
                                                                                                                                                                                                          Entropy (8bit):4.616056614892387
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:J1zaL+JOWK6kIvpwXvB0qMWJ5x1Y3XYMekSIL3Lo8Dmm:vzo+JOWK3sc5M6M3XYHHIL3NN
                                                                                                                                                                                                          MD5:14BC81E513A7FB6120961D6F44E03777
                                                                                                                                                                                                          SHA1:36E9B282B5B428103C32F87B0C1CE56D590209D5
                                                                                                                                                                                                          SHA-256:E05F61AE4EC2D9EC4B306DAB2E3672FFD139729D0F08EB6F4360F3A7200BBB16
                                                                                                                                                                                                          SHA-512:3E792A98C1CD54BE1A7B6BE2FCE18F38C489DC6039F64D146E7775FDD2E6F8036AE3E004B3BCDCEF197ADABDFAD5184A30E192BC18061005C54E157A022864CF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..x...x...x.......{.......y.....&.z...XF.z...x...f.....'.u.......y.......y...Richx...........PE..L.....[...........!................o........ ...............................P............@..........................$..V...l!..<............................@.. .................................... ..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...`....0......................@....reloc..T....@......................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\msvcr100.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):770384
                                                                                                                                                                                                          Entropy (8bit):6.908020029901359
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                                                                                                                                          MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                                                                                                                                          SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                                                                                                                                          SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                                                                                                                                          SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\removeFiles.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):9216
                                                                                                                                                                                                          Entropy (8bit):5.432280273703063
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:yabSCrLx6HOI7bdeHFbatuSuzr7iCkLC:nbg+FUuSuH7B
                                                                                                                                                                                                          MD5:2B33B23FD5A45B1ACB401932D259469B
                                                                                                                                                                                                          SHA1:F7A01D0036849BE6AE3381B282CC0C6BA1F5942C
                                                                                                                                                                                                          SHA-256:8C700F40B86A7AC99FF638C8FA42DA8F9CC472C184A39EA8BFD5FAD899F6E9AA
                                                                                                                                                                                                          SHA-512:51BCC01DC1F41D49EA71E41E34855E0753AA3AD1E58F07A9F4EA2CE2AEC2D5C06C93AFAA254921DC2F874DF29497E5F2A3E5F6CA28293B0A2F26079601946422
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6...6...6.......6.......6.......6.93....6...7...6.......6.......6.Rich..6.........PE..L.....[............................c........0....@..........................`............@..................................2..<............................P...................................... 2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....reloc..^....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\ssleay32.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):270848
                                                                                                                                                                                                          Entropy (8bit):6.409278080790753
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:gefvLqSPbFqnJyt8Zwc1VaB4SBjRx7wWhKIhvt6NcJOwz1vBsBbf0INo00bq9Kpk:ge7qSPpqnJytEwc1Vu5BjRxEWhKIhvt0
                                                                                                                                                                                                          MD5:DCDD3041A03ABCBA60BF51D2E1345133
                                                                                                                                                                                                          SHA1:9B81D6C3D7F6D16A73222BCB5ACEC231C46B6F6B
                                                                                                                                                                                                          SHA-256:4BE51BD9D1C4E2EFDF4DA64511352D591748B7E71492FC9E85E901DC37CF03CE
                                                                                                                                                                                                          SHA-512:8BD431EBE6972A24EC6CDE4DAE062A4D545F4DE966C3A442D87E34E7E80D394533D739EFEC0F39EB2C8B9A3BC3B17B1B0B4BE86D877C1A4E7FA877F056C118C3
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........r...!...!...!...!...!...!...!..*!...!...!...!...!%..!..+!...!...!...!...!...!...!...!Rich...!........PE..L...Og1Y...........!......................... ...............................`............@.............................p$..L...P.... ..@....................0...#..0&..............................@...@............ ...............................text............................... ..`.rdata..0.... ......................@..@.data....1..........................@....rsrc...@.... ......................@..@.reloc...$...0...&..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\uninstall (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:Bourne-Again shell script, ASCII text executable, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):8329
                                                                                                                                                                                                          Entropy (8bit):4.990362708041138
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:Mysmv0i6F818NxRBNib8HUjxeUuuIZeMiBWesmeBBQLVGfPzEUHj5v:A+uBmYgHH24Vk7DHN
                                                                                                                                                                                                          MD5:A4C8DF90B93FD01C6ED33137E9BE7ACC
                                                                                                                                                                                                          SHA1:E60A19D55267D0B0284E112FAEC0CECF82D61062
                                                                                                                                                                                                          SHA-256:ECBDEDFCF8D6C88019EC75FC3697BC2D59370042973FE0B5839350D9496B168B
                                                                                                                                                                                                          SHA-512:F2608AF48C3EFAE58FFC45197BB060933C6129F8A8FCE7580002030D2DAD6E822E85B4B27142AD78B78B632F0BBB566889F3E6DE6D8DA04F9329CAA558017756
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:#!/bin/bash..#..#.uninstall: RDM Appweb uninstall script..#..#.Copyright (c) Embedthis Software LLC, 2003-2014. All Rights Reserved...#..#.Usage: uninstall [configFile]..#..################################################################################....HOME=`pwd`..FMT=....PRODUCT="RDMAppweb"..COMPANY="embedthis"..NAME="RDM Appweb"..VERSION="4.6.0.10"..OS="windows"....ROOT_PREFIX="C:\"..BASE_PREFIX="C:\Program Files"..STATE_PREFIX="C:\Program Files\RDM Appweb"..APP_PREFIX="C:\Program Files\RDM Appweb"..VAPP_PREFIX="C:\Program Files\RDM Appweb"....BIN_PREFIX="C:\Program Files\RDM Appweb\bin"..SBIN_PREFIX="${prefixes.sbin}"..ETC_PREFIX="C:\Program Files\RDM Appweb"..INC_PREFIX="C:\Program Files\RDM Appweb\inc"..LIB_PREFIX="C:\Program Files\RDM Appweb\lib"..MAN_PREFIX="C:\Program Files\RDM Appweb\man"..WEB_PREFIX="C:\Program Files\RDM Appweb\web"..LOG_PREFIX="C:\Program Files\RDM Appweb\log"..SPL_PREFIX="C:\Program Files\RDM Appweb\tmp"..CACHE_PREFIX="C:\Program Files\RDM Appweb\cache"

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_d8f75e92d1eafb54afba47fcb3fb7417.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):10240
                                                                                                                                                                                                          Entropy (8bit):5.472363161166322
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:ewYNFNZNWNGNlNNNM2a+XgApmQ7xs9HGPGHH3X8PVlD69OeGMskA:ewrGsVXsPVl+
                                                                                                                                                                                                          MD5:C294956435DAFBB85576411C193194B7
                                                                                                                                                                                                          SHA1:311B68DC30EEBCEA346F4BB27053C37D6E9B3415
                                                                                                                                                                                                          SHA-256:AF0079A84FF550D0678E1428CFDF157D0B69437A5F45085F01B049FB0AD8CF0D
                                                                                                                                                                                                          SHA-512:628BC704A48E5F98E20E92C0FF373A294B49DC6CF2162E06C8E732C5889BDBD48FC50C898F30279785C579310D3B24C6F6C63C290D2A3BAD58F2862C4703E813
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P......L...L...L..gL...L.@hL...L.@jL...L.@_L...L..?L...L...L"..L.@^L...L.@oL...L.@iL...LRich...L........................PE..L....H.T...........!.........................0...............................`............@.........................07..|....1..x............................P..,....................................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....reloc..Z....P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\controller_e1e6248d4d6cd4c6f1780d87dae23f0e.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):15360
                                                                                                                                                                                                          Entropy (8bit):4.764212548874856
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:g4XTbqm6GUVFK9GGxd4oGbeGSe4myxDlZw3XYPVR6y1mctFisjdkSVnB:Hy4bhZQIPV51mcnkSV
                                                                                                                                                                                                          MD5:44C50541990E65CD71A3B8D488575628
                                                                                                                                                                                                          SHA1:125174987BC831EB817788D77DD1A3F0045F1330
                                                                                                                                                                                                          SHA-256:D17FD8F0E530885A9D8107ABF0EC68D133F68BF7873A130E9EDEE13DDA989D50
                                                                                                                                                                                                          SHA-512:EDA8E569EA33BF7DDB212B038C3B2F2D12F1FF09DE1FC9F8310F6E7E342CA9744C59F4040B496D5C6FBCD3B0B5A8FC4DE1DD88C7A702549E88EDC19DB39C8F56
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.....L...L...L.dfL...L.iL...L.kL...L.^L...Lv.>L...L...L...L._L...L.nL...L.hL...LRich...L........................PE..L....H.T...........!..........[.....f .......0................................\...........@..........................7..}....1..x.............................[.....................................01..@............0...............................text...n........................... ..`.rdata..-....0......................@..@.data....[..@.......$..............@....reloc..D.....[......*..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-0O571.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):10240
                                                                                                                                                                                                          Entropy (8bit):5.472363161166322
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:ewYNFNZNWNGNlNNNM2a+XgApmQ7xs9HGPGHH3X8PVlD69OeGMskA:ewrGsVXsPVl+
                                                                                                                                                                                                          MD5:C294956435DAFBB85576411C193194B7
                                                                                                                                                                                                          SHA1:311B68DC30EEBCEA346F4BB27053C37D6E9B3415
                                                                                                                                                                                                          SHA-256:AF0079A84FF550D0678E1428CFDF157D0B69437A5F45085F01B049FB0AD8CF0D
                                                                                                                                                                                                          SHA-512:628BC704A48E5F98E20E92C0FF373A294B49DC6CF2162E06C8E732C5889BDBD48FC50C898F30279785C579310D3B24C6F6C63C290D2A3BAD58F2862C4703E813
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P......L...L...L..gL...L.@hL...L.@jL...L.@_L...L..?L...L...L"..L.@^L...L.@oL...L.@iL...LRich...L........................PE..L....H.T...........!.........................0...............................`............@.........................07..|....1..x............................P..,....................................1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....reloc..Z....P.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\cache\is-PBL1C.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):15360
                                                                                                                                                                                                          Entropy (8bit):4.764212548874856
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:g4XTbqm6GUVFK9GGxd4oGbeGSe4myxDlZw3XYPVR6y1mctFisjdkSVnB:Hy4bhZQIPV51mcnkSV
                                                                                                                                                                                                          MD5:44C50541990E65CD71A3B8D488575628
                                                                                                                                                                                                          SHA1:125174987BC831EB817788D77DD1A3F0045F1330
                                                                                                                                                                                                          SHA-256:D17FD8F0E530885A9D8107ABF0EC68D133F68BF7873A130E9EDEE13DDA989D50
                                                                                                                                                                                                          SHA-512:EDA8E569EA33BF7DDB212B038C3B2F2D12F1FF09DE1FC9F8310F6E7E342CA9744C59F4040B496D5C6FBCD3B0B5A8FC4DE1DD88C7A702549E88EDC19DB39C8F56
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.....L...L...L.dfL...L.iL...L.kL...L.^L...Lv.>L...L...L...L._L...L.nL...L.hL...LRich...L........................PE..L....H.T...........!..........[.....f .......0................................\...........@..........................7..}....1..x.............................[.....................................01..@............0...............................text...n........................... ..`.rdata..-....0......................@..@.data....[..@.......$..............@....reloc..D.....[......*..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\files.log (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1343
                                                                                                                                                                                                          Entropy (8bit):4.729477215077007
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:ZXM28ykmHFSwMcwa4Lphvo0cwV+whOuiOar9cDCZbyO9WOy:ZXgykYgwMcwasPv9VpMui7JcDSy0W
                                                                                                                                                                                                          MD5:67EB417F2CFAB6B9CD65A46B2645C0F1
                                                                                                                                                                                                          SHA1:F70200DC8525716D5ACEAE3F9D1AF0354E6F2AAB
                                                                                                                                                                                                          SHA-256:7D5012CAD1DC515870406CA7BC1185F234F241BCC052CC1AAF22588D32BF46E8
                                                                                                                                                                                                          SHA-512:9EEA74E80A76700BA32BBBFF8C3A4E2EE21C92F4028A0190E0E0B75DE6427E584DA4D7C1798A78FB9CCCC4AC984FF4A86D08CB1E77D97DDE7E0E8C28C9C08678
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/Program Files/RDM Appweb/CertMgr.Exe./Program Files/RDM Appweb/LICENSE.TXT./Program Files/RDM Appweb/README.TXT./Program Files/RDM Appweb/Rdm.ico./Program Files/RDM Appweb/appweb.conf./Program Files/RDM Appweb/bin/RDMAppman.exe./Program Files/RDM Appweb/bin/RDMAppweb.exe./Program Files/RDM Appweb/bin/ca.crt./Program Files/RDM Appweb/bin/esp.conf./Program Files/RDM Appweb/bin/install./Program Files/RDM Appweb/bin/libappweb.dll./Program Files/RDM Appweb/bin/libeay32.dll./Program Files/RDM Appweb/bin/libhttp.dll./Program Files/RDM Appweb/bin/libmod_cgi.dll./Program Files/RDM Appweb/bin/libmod_esp.dll./Program Files/RDM Appweb/bin/libmod_ssl.dll./Program Files/RDM Appweb/bin/libmpr.dll./Program Files/RDM Appweb/bin/libmprssl.dll./Program Files/RDM Appweb/bin/libmprssl.lib./Program Files/RDM Appweb/bin/libpcre.dll./Program Files/RDM Appweb/bin/libslink.dll./Program Files/RDM Appweb/bin/msvcr100.dll./Program Files/RDM Appweb/bin/removeFiles.exe./Program Files/RDM Appweb/bin/ssleay32.dll./Pr

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\install.conf

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):106
                                                                                                                                                                                                          Entropy (8bit):5.002092325538369
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:3Q/EzvxmfsNrHO0MS0oXRuho/2CLZhn:9jxT2SRrv
                                                                                                                                                                                                          MD5:A5C52895B72CDEE08CEF09F58AE06469
                                                                                                                                                                                                          SHA1:5F7D1CAA54FA6BC7E19A454A43D61EA34F3C287E
                                                                                                                                                                                                          SHA-256:041AE90E9295260E852C10C30F845ACD7BCD73B58D2CB3F911D34F39829BF8B4
                                                                                                                                                                                                          SHA-512:0F47822C3707DA644DE3FD933888D9F5622D1C04D648BE289CAA8F2DBEE111A31C2FCD41C29A8FA8AF23FB438FDAA871BC31C97C55AD18906419AB8452AA2FCB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:Documents "web".set LOG_DIR "log".set CACHE_DIR "cache".ListenSecure 127.0.0.1:736.ListenSecure [::1]:736.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-13P1K.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):16260
                                                                                                                                                                                                          Entropy (8bit):4.756487759189681
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:NCr4rCni5BdEHu6VroqId0EesZ/8eMeWp:c0e6vEvfLw9fWp
                                                                                                                                                                                                          MD5:0699CA05F3648A1D38EC1B0493D6716E
                                                                                                                                                                                                          SHA1:1FD90589878EBF967399405193A6BCC8424484FE
                                                                                                                                                                                                          SHA-256:1656F2398978E0C7E06784A5706C49D57E54E073FB656D3728C7BCF97300D3E5
                                                                                                                                                                                                          SHA-512:3E7D568E40BDB1BEBA86F0978600BA033C3DD9C6589490AEC6CF8F10E8F1F461DFB566377036B4DACFC3F7299B8D75B223AB238458E76E27C17A5A9BEBF2E973
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:Embedthis Appweb GPL License Agreement....This software is licensed according to the provisions of GNU GENERAL PUBLIC..LICENSE below. ....Commercial license are also available for those who require them. The..Embedthis Commercial License, allows you to provide commercial software..licenses for products containing Embedthis software. This is for individuals or..organizations that do not want to release their source code as open source /..free software as governed by the GPL license below. For more information on..licensing, please see:....http://embedthis.com/downloads/licensing.html....Some components of the sofware are licensed from third parties. See the end of..this document for a list of licensed third party software.....GNU GENERAL PUBLIC LICENSE, Version 2, June 1991.....Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite..330, Boston, MA 02111-1307 USA....Everyone is permitted to copy and distribute verbatim copies of this license..document, but ch

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-35FEH.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PEM RSA private key
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1675
                                                                                                                                                                                                          Entropy (8bit):6.020979289198149
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:LrddS4E21k97ESwa3fDvYt3fT67NHyuDHXYopF6v:Lrdd1EkkJEufDvkmNt7XYopIv
                                                                                                                                                                                                          MD5:40FE5B7F579DC671E23EEEB6931C1EFF
                                                                                                                                                                                                          SHA1:79B6EA99A4B4FCF6EF91FF12252A8DBD95252AEC
                                                                                                                                                                                                          SHA-256:6EF57ED842EF806919FAE0BD1046D3461618E6F6A89645BAE3DCEE508BBB9F41
                                                                                                                                                                                                          SHA-512:9DB966DD29BAD78BA6DC31CD1A2BE17A02AD0811C89015791B471347461BEB9A80E5C3F9910D7802B94D136A5CF90CD4368987902A360772AF0DB3EBEAB98369
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:-----BEGIN RSA PRIVATE KEY-----.MIIEogIBAAKCAQEAr30EawZnV00fUx2qAG3gsixFt0XeMSjhmyMHWEAoVOvQ3uLt.7V/au/yFNhtyo8JNbuhmt37v/UhUH0ZZumhTyrV1GRtFzPROHaQP5/av9XAkFQLH./GWMgU9Th30UULqkq/fv7JhaYqQ2wnpoUCH96TvodJIMqcsNlfP6h22dRmVlgHMg.umsE1BNQn0MnTaj89zg8zgTI/Fl4wtQRas2htmv9+IYYzXdzC6gP12UUvJ1iyige.IIWk0aeeX9Vf7VQLfZz0me4v2vVhvOpg9SDjIqje19kQwAXr5BGbwYst0Hgi/GiK.D1TZhA9Yyw+rAwZOaPZ7SETehRAEWENvOWZ5DwIDAQABAoIBAC7siuXjTHa3lIyw./egneVGrLOkYsZULjWfiMfCTFzW96JfwrhYu71oc57HUHQ9UwUfKtMyUEK/1Sykh.spR5mQ42/xy7giqPmOOsHuSzvdEvLza/C6KdtLhO8dLkyy3a+nVRUsI86s49grb1.7DahIDfhYQLqmqA8P2G9X1wfH1LXEEvQVs+T6M8vIQbLiJiNhmFC+BMU0ec/7j8m.DF9S1cIp/KtmyRECfiepNaakWvr2HvinhMNg9Lz4HICsfYUX6oM/mlB6hj3jVisp.8/SPepwUQ8mzQhQmXdbrMT0DLosVqgUj2WK/f95m2VzF7PktsagXW0Oqtg2A7FiP.9yB1xYECgYEA5vpJuYw3PPaec+jvm56kxFzO4quctU5tfCuB+gwloYvrACZLY7XN.6Qgk4+xInZtGcVabxhi9xlUlIiTkUf6tDNCsFniWCwRxJfkdB6UxgDP3laJzlZHa.M/2FCVSw56Y3YqRYiqIu9ZSxe572FEp6Q20/nDSR2qF0rd/wLRvox58CgYEAwn/X.cKXk45N60cHFcVQe0wEAj2V505N7mJC2muKNv3b/dcQnl7P65ENU7lS7Fy

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-3DB37.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2030
                                                                                                                                                                                                          Entropy (8bit):4.942123442929845
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:qXhKrzTbpV+JAcrPXGnEiCnvIIewNrfou/1:GhKrz5oSnE/h7Nrfdt
                                                                                                                                                                                                          MD5:5D84902B4958057D539FE5D59C09CC62
                                                                                                                                                                                                          SHA1:C6C93EA2F373D2C2229A89D0F10892C783828911
                                                                                                                                                                                                          SHA-256:2F5640B2D15D8422FD490DAE180F4882C3443C37FF0821D1905395F87338CB48
                                                                                                                                                                                                          SHA-512:A3407E48FC9043E554414DC31A1ED23D42E6F72C3F0623B72E09BA0A2C387210D3F289BABE5949249E72364BBF4E63E897348EC4C2ECD546536B8DD334B02A39
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:#..# appweb.conf -- Default Configuration for the RDM Appweb HTTP Server..# ....# The order of configuration directives matters as this file is parsed only ..# once. This is a minimal configuration. ....#..# The install.config specifies: Documents, Listen and ListenSecure..#..include install.conf....#..# Define the logging configuration first so errors are logged. This is for..# errors and debug trace for the whole server including virtual hosts. Add ..# a timestamp every 1 hour. This is overridden by appweb command line args...#..ErrorLog "error.log" size=10MB level=2 backup=5 append anew stamp=1hr....#..# The user and group account to run as. The fake name APPWEB will change..# user/group to the Appweb default user/group if running as root/adminstrator...# This is www on MAC, nobody/nogroup on Linux, and administrator on Windows. ..# NOTE: ESP require write access to the cache directory. if you wish ..# to backup log files, you must have write permission to

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-4Q3JS.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1343
                                                                                                                                                                                                          Entropy (8bit):4.729477215077007
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:ZXM28ykmHFSwMcwa4Lphvo0cwV+whOuiOar9cDCZbyO9WOy:ZXgykYgwMcwasPv9VpMui7JcDSy0W
                                                                                                                                                                                                          MD5:67EB417F2CFAB6B9CD65A46B2645C0F1
                                                                                                                                                                                                          SHA1:F70200DC8525716D5ACEAE3F9D1AF0354E6F2AAB
                                                                                                                                                                                                          SHA-256:7D5012CAD1DC515870406CA7BC1185F234F241BCC052CC1AAF22588D32BF46E8
                                                                                                                                                                                                          SHA-512:9EEA74E80A76700BA32BBBFF8C3A4E2EE21C92F4028A0190E0E0B75DE6427E584DA4D7C1798A78FB9CCCC4AC984FF4A86D08CB1E77D97DDE7E0E8C28C9C08678
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/Program Files/RDM Appweb/CertMgr.Exe./Program Files/RDM Appweb/LICENSE.TXT./Program Files/RDM Appweb/README.TXT./Program Files/RDM Appweb/Rdm.ico./Program Files/RDM Appweb/appweb.conf./Program Files/RDM Appweb/bin/RDMAppman.exe./Program Files/RDM Appweb/bin/RDMAppweb.exe./Program Files/RDM Appweb/bin/ca.crt./Program Files/RDM Appweb/bin/esp.conf./Program Files/RDM Appweb/bin/install./Program Files/RDM Appweb/bin/libappweb.dll./Program Files/RDM Appweb/bin/libeay32.dll./Program Files/RDM Appweb/bin/libhttp.dll./Program Files/RDM Appweb/bin/libmod_cgi.dll./Program Files/RDM Appweb/bin/libmod_esp.dll./Program Files/RDM Appweb/bin/libmod_ssl.dll./Program Files/RDM Appweb/bin/libmpr.dll./Program Files/RDM Appweb/bin/libmprssl.dll./Program Files/RDM Appweb/bin/libmprssl.lib./Program Files/RDM Appweb/bin/libpcre.dll./Program Files/RDM Appweb/bin/libslink.dll./Program Files/RDM Appweb/bin/msvcr100.dll./Program Files/RDM Appweb/bin/removeFiles.exe./Program Files/RDM Appweb/bin/ssleay32.dll./Pr

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-8QDQV.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:MS Windows icon resource - 1 icon, 64x64, 24 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):12862
                                                                                                                                                                                                          Entropy (8bit):3.6798341854015195
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:q7KYJRfZ2YR6aRvnR0cORkoCqgR728KRPstRCZRk1RfRvRS24hRk8tCR2mRTkvRu:q7KYJRfZ2YR6aRvnR0cORkoCqgR728Ks
                                                                                                                                                                                                          MD5:C100FD2F4F4F10D15C0E6C4AFD22686D
                                                                                                                                                                                                          SHA1:AFE9BFD16D92EBB0CD96DA8054A566172742B2AC
                                                                                                                                                                                                          SHA-256:5585542C636B944637915F5BE13EC515619103150EC49F576D78DAB66F7503AC
                                                                                                                                                                                                          SHA-512:0E8E956933DB858F1CBA087A2A194454D3987FB1E14C033D38666637C36A0223E1BC4FFADE3E1725E7DC8F7F022928B4A66B9828E442E7E7BEA1D3DBA5666FE9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......@@......(2......(...@................0............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-AV70A.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PEM certificate
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1472
                                                                                                                                                                                                          Entropy (8bit):5.885548451022044
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:LrcC5C/hfz7O7nw+U7KjDxYpxN9OBRtsrtt7vl9cprz9R8mUzsRkq2TIKA7HtnXJ:LrcJpfz7Snw+U7TN9O7urb7typImMsj1
                                                                                                                                                                                                          MD5:520E74A2B8D63AE554CD91011694C1F2
                                                                                                                                                                                                          SHA1:EAA9D1A7E63DA0945A94E1983F829BD1D1778902
                                                                                                                                                                                                          SHA-256:4AF8F1EC7A8207BF3BB6CD2C42A4ED5E9C2D0CEEB6D2D88E7B2C9C980ADD1135
                                                                                                                                                                                                          SHA-512:415BB2D409BAE76292766288A771AF47BA84C7849637C6A0EA852F4520117C6C78CFA1AED8658218E79C4A0C69A92DC1F197E8B29757695E701D1E97CFDFFAE5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:-----BEGIN CERTIFICATE-----.MIIEETCCAvmgAwIBAgIJAK5EzyUs5u9CMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTcwNDIw.MjAzMzAwWhcNMjcwNDE4MjAzMzAwWjCBoDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEgMB4GA1UEAwwXbG9jYWxob3N0IC0gUkRNIFNjYW5uZXIwggEiMA0G.CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvfQRrBmdXTR9THaoAbeCyLEW3Rd4x.KOGbIwdYQChU69De4u3tX9q7/IU2G3Kjwk1u6Ga3fu/9SFQfRlm6aFPKtXUZG0XM.9E4dpA/n9q/1cCQVAsf8ZYyBT1OHfRRQuqSr9+/smFpipDbCemhQIf3pO+h0kgyp.yw2V8/qHbZ1GZWWAcyC6awTUE1CfQydNqPz3ODzOBMj8WXjC1BFqzaG2a/34hhjN.d3MLqA/XZRS8nWLKKB4ghaTRp55f1V/tVAt9nPSZ7i/a9WG86mD1IOMiqN7X2RDA.BevkEZvBiy3QeCL8aIoPVNmED1jLD6sDBk5o9ntIRN6FEARYQ285ZnkPAgMBAA

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-C5V17.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):22445
                                                                                                                                                                                                          Entropy (8bit):4.756022236735267
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:35QzHCaou+vDy8tRP9v0Di6N9G5q+sP/oppqnd:3SGvprv0Di6N9GM+tp6d
                                                                                                                                                                                                          MD5:077D74570F3BCDFAF1446A1B10AB477B
                                                                                                                                                                                                          SHA1:115F6DBC318962C15400B8EAD9499E8997F9A70C
                                                                                                                                                                                                          SHA-256:ADE6F7E4C5D2B6D1285686ECD968BC4F14AC53E7D568292EA2E4556A81E02072
                                                                                                                                                                                                          SHA-512:63BF51961888A482A5D9727A9E6D2D5A81AA5492E64CBE15E731944E9036BA396D8DAFB22BCBAE58FFB0FCC4C1894BA527AEA06CED0B719319571801FD0BC501
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:#.# sample.conf -- Sample (Maximal) Configuration for the Embedthis Appweb HTTP Server.# .# This sample demonstrates many directives that can be used in an appweb.conf file..# Do not use this file directly, it is too verbose. Rather cut the sections you need.# into your own, minimal configuration file...#.# Server home directory for Appweb to find configuration files. .# Appweb will change directory to this location when it runs..#.# Home "."..#.# Define the logging configuration first so any errors are logged..# This is for errors and debug trace. This log file is for the whole.# server including virtual hosts. Add a timestamp every 1 hour..# This is overridden by appweb command line args: -v and --log..#.ErrorLog "error.log" size=10MB level=2 backup=5 append anew stamp=1hr..#.# Control the tracing of request and response requests to the error log..# This directive defines the levels at which various events are logged..#.# Log rx conn=5 first=2 headers=3

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-I1SNJ.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PEM certificate
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1574
                                                                                                                                                                                                          Entropy (8bit):5.905699622879769
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:LrcG/hfz7O7nw+U7KjD0GGicvgUvih9DfJJ/GWb6YUOBceQEjY1CkRi8XJ:LrcGpfz7Snw+U7pGVUwBjGWb69OAR55
                                                                                                                                                                                                          MD5:CBF5A63CD967ED0D899F0C6D173C0BC6
                                                                                                                                                                                                          SHA1:FAF581B198C85AB2A57914E21F31BEC7609DC871
                                                                                                                                                                                                          SHA-256:CFD3AD2B4B7F86FFAD7056078F0490291BE71C5E0A0630F1E45DDE452BA5D81A
                                                                                                                                                                                                          SHA-512:E6F268F1581691EC4A4BD6B818CCABFA27BA7F07400F1732003C9E5B26865CAF8BAEC2B2EC4BE52BC0E6A4B51C661E851952E946D7BB5FEF764BB3124A315F8A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:-----BEGIN CERTIFICATE-----.MIIEXTCCA0WgAwIBAgIJAK/4uEUcRr/QMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTQxMTEx.MTk0NjIzWhcNMjQxMTA4MTk0NjIzWjCBvDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEYMBYGA1UEAwwPUkRNIERldmljZSBSb290MSIwIAYJKoZIhvcNAQkB.FhNzdXBwb3J0QHJkbWNvcnAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB.CgKCAQEA501CdfXCdhUItY0JA5Y0MJ/TK/OH5UTVicWn+Knyi0GRGNDIh5N9dDeo.5X21bwACHZtHpWwMiL2PcH+hR0dw2Fmf6zDQBYKGeGy6wU7L0b7S8TbyivGW+Ks9.pS4LRQoKnzY6eF9bIxFhbaUBgbq/KJWxQIm4EOXMSejmgmk/Koh9+7P8jVb9kp1S.9AaVDz45j6b/zTkzzR4EP+GVVozWMZN4whDmE2EprxzcCkxr1GY0mEfHxCjLq2il.rF9Mz6Cr1vL19Gu1HxMbdAJSM1qIAxAG5Xbl9oAPzMUHwzdXpLzj9hfhkzqUFV

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-KP194.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2739
                                                                                                                                                                                                          Entropy (8bit):4.855747086863456
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:p2KzzQdnd6rIrNIqru6pN47wEbPmh0ThMsgazBCz4t0PiSLbFD/YWJI:p2Kg6rIraqFpwr+h0TWsgaz0Dirn
                                                                                                                                                                                                          MD5:20AB580E399534B15A80596BF368D082
                                                                                                                                                                                                          SHA1:354FA14F13DE311A83395B4552179FE2692D73E4
                                                                                                                                                                                                          SHA-256:168F4FF32F22F24AC210959328322D2C73AFBD245E47BC7060DB68DF6E30C8C8
                                                                                                                                                                                                          SHA-512:A97137121B6B32D0B203E725CE0C850E97959851F94AB1A23818615166144096A2AD723D7EE89F72253B5D2C81271C8C50C19108D95DA661E7EF10AF44F0CC5B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:RdmAppweb....Welcome to the RdmAppweb -- the fastest little web server (from Embedthis..Appweb(TM))....This document contains details regarding the installation procedure for the..binary RdmAppweb package. This package contains pre-built stand-alone web..server and an embeddable HTTP library with headers. ....This software is copyrighted and distributed under license. Please read the..LICENSE.TXT for details.....Table of Contents....* System Requirements..* Installation Package Formats..* Development Environment Platform Support..* Windows Release Details..* Removing RdmAppweb..* Running RdmAppweb..* License and Copyright Information......System Requirements....Operating System Support.... * Windows-7, Windows-8 (x86,x64)....To install RdmAppweb, your system will need at least the following:.... * 10 MB Disk.. * 1 GB RAM....Installation Package Formats....Windows Release Details....To install the Windows Installer image:.... 1. Login with administrator privileges. This is n

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-N6VTP.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):187
                                                                                                                                                                                                          Entropy (8bit):5.181464333881601
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:1qfsNkdZj2/zHJvxMS+dZj2/zHoNi5S/Ek1XZj2/zHBxXRuho/2CFUXYw2n:1vdvekc0lk1QtxBr9UX6n
                                                                                                                                                                                                          MD5:0EEDCC979E0E69F6797C01C54B9D2ED7
                                                                                                                                                                                                          SHA1:7512E590C482AEEE98F8B5454A11866CD29ACF5E
                                                                                                                                                                                                          SHA-256:7591CA2E4526BC241CC623E037DA03130F02C7E186E2B23F046ED132C1E4EF2A
                                                                                                                                                                                                          SHA-512:5A732CBF50212F5E5DC1F2BE90FCC8BD6CEC0F303D06D32BAD4F04A14EC5D6DFA64D55D6757728D4ABC68A72F3E192415935379642D0FCDA9FFBBF371235EF36
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:set LOG_DIR "C:\Program Files\RDM Appweb\log".set CACHE_DIR "C:\Program Files\RDM Appweb\cache".Documents "C:\Program Files\RDM Appweb\web".ListenSecure 127.0.0.1:736.Listen 127.0.0.1:81.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-PROG1.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2881
                                                                                                                                                                                                          Entropy (8bit):4.577137481337325
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:7tDhL6n+lQiaCM6olp/HeDaOrdkQu2lY1XhWWNCLG48h0ccxEH6BTyP66raD8uL4:thLNQrf6qk8/iclKxEarLj65
                                                                                                                                                                                                          MD5:1E2288EE5609BA07EFE10FB9A6EF61B2
                                                                                                                                                                                                          SHA1:E718F9F52DE5AA7AC9B5F72F3A7D6EE9D2326E30
                                                                                                                                                                                                          SHA-256:4AE88DA61C928D6F25503628B8CDAF8288CCC3E493FBD9683CA806D0951274AE
                                                                                                                                                                                                          SHA-512:CB0CEFF46AE4742C66C763A5877251B2490688774C30C48CAC6959BC2352E1F1C6683276FADB844411C474EF6FA51969DDBBE43123D031991883480DF3DF2EC2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:application/javascript js.application/json json.application/mac-binhex40 hqx.application/mac-compactpro cpt.application/msword doc.application/octet-stream bin dms lha lzh exe class so dll jar dmg deb pkg.application/oda oda.application/pdf pdf.application/postscript ai eps ps.application/sdp sdp.application/smil smi smil.application/vnd.mif mif.application/vnd.ms-excel xls.application/vnd.ms-fontobject eof.application/vnd.ms-powerpoint ppt.application/vnd.rn-realmedia rm.application/vnd.wap.wbxml wbxml.application/vnd.wap.wmlc wmlc.application/vnd.wap.wmlscriptc wmlsc.application/x-bcpio bcpio.application/x-bzip2 bz2.application/x-cdlink vcd.application/x-chess-pgn pgn.application/x-cpio cpio.application/x-csh csh.application/x-director dcr dir dxr.application/x-dvi dvi.application/x-font-ttf ttf.application/x-font-opentype otf.application/x-futuresplash spl.application/x-gtar gtar.application/x-gzip gz tgz.application/x-hdf hdf.application/x-kchart chrt.application/x-killustrator kil

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\is-SBL4H.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):70992
                                                                                                                                                                                                          Entropy (8bit):5.989810876164699
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:0uOUkO0UXRiKvbVAc5xt3lGnmdYw+WXsA9iYzvyq9rHUq:9OUu3KvbVtxt1Gnmdt+WXsox9oq
                                                                                                                                                                                                          MD5:2764C3E30034E9469ADBDBBC99BD98E7
                                                                                                                                                                                                          SHA1:F0014D2FAD0879323DCAFA6086647A21848910EE
                                                                                                                                                                                                          SHA-256:06F43698A703D3EF346C7FEDD8864452C4052EAB924A450CA1CCB12BC7C97049
                                                                                                                                                                                                          SHA-512:DE662E143460D44476AF66FDEB7A65699B06F565FED16F77B3776F3487ACCF76EE72016109549813F2C9F8B0DC061708C900FE3AE37C59DB374C4F33A67AAAFA
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=[.eS..eS..eS......eS......eS......eS..eR..eS......eS...-..eS......eS......eS.Rich.eS.................PE..L... .[J.....................................................................@......C.....@...... ......................................xW..............P....0..........................................@............................................text...f........................... ..`.data....(..........................@....rsrc...xW.......X..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\log\error.log

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1000
                                                                                                                                                                                                          Entropy (8bit):4.89213077945812
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:1PL9MPmGpPoKHPBhBPxcNPjTPvPMCHPP1e8PmGpPtPsUPPPUIhDPUihDcYLLMbUK:duDB7vB3cPn/v9DBFswHbhrVh/wYK
                                                                                                                                                                                                          MD5:BA5698F8B9F274F466E0B731B6DA8F02
                                                                                                                                                                                                          SHA1:B51607E5A60DDB85235ED415A610A484A5A3D009
                                                                                                                                                                                                          SHA-256:5B4F03F33238CC8918577D24BD37B758E69706FAC58281494A2650E56FB76D78
                                                                                                                                                                                                          SHA-512:20C5BD7C89BB1C404FD0461DA24C198C913EBDC982360B5522524E755FCADAF285605C8598EB29ABDCE92BF289C572FB1502E26B29B334E63B24647F88602C2D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:RDMAppweb: 2: Configuration for RDM Corporation RDMAppweb..RDMAppweb: 2: ---------------------------------------------..RDMAppweb: 2: Version: 4.6.0.10..RDMAppweb: 2: BuildType: Release..RDMAppweb: 2: CPU: x86..RDMAppweb: 2: OS: windows..RDMAppweb: 2: Host: 571345..RDMAppweb: 2: Directory: C:\Program Files (x86)\RDM Corporation\RDM Appweb..RDMAppweb: 2: Configure: me configure --nocross --release --platform windows-x86-default --with openssl=C:/openssl-1.0.1h --with esp --without sqlite --without est..RDMAppweb: 2: ---------------------------------------------..RDMAppweb: 2: Loading native module libmod_ssl.dll..RDMAppweb: 2: Loading native module libmod_esp.dll..RDMAppweb: 2: Loading native module RDMDA.dll..RDMAppweb: 2: Started HTTPS service on "127.0.0.1:736"..RDMAppweb: 2: Started HTTPS service on "[::1]:736"..RDMAppweb: 1: Started at Thu Oct 31 14:23:19 2024 Eastern Summer Time with max 1 threads..

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\log\error.log.0 (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1000
                                                                                                                                                                                                          Entropy (8bit):4.89213077945812
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:1PL9MPmGpPoKHPBhBPxcNPjTPvPMCHPP1e8PmGpPtPsUPPPUIhDPUihDcYLLMbUK:duDB7vB3cPn/v9DBFswHbhrVh/wYK
                                                                                                                                                                                                          MD5:BA5698F8B9F274F466E0B731B6DA8F02
                                                                                                                                                                                                          SHA1:B51607E5A60DDB85235ED415A610A484A5A3D009
                                                                                                                                                                                                          SHA-256:5B4F03F33238CC8918577D24BD37B758E69706FAC58281494A2650E56FB76D78
                                                                                                                                                                                                          SHA-512:20C5BD7C89BB1C404FD0461DA24C198C913EBDC982360B5522524E755FCADAF285605C8598EB29ABDCE92BF289C572FB1502E26B29B334E63B24647F88602C2D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:RDMAppweb: 2: Configuration for RDM Corporation RDMAppweb..RDMAppweb: 2: ---------------------------------------------..RDMAppweb: 2: Version: 4.6.0.10..RDMAppweb: 2: BuildType: Release..RDMAppweb: 2: CPU: x86..RDMAppweb: 2: OS: windows..RDMAppweb: 2: Host: 571345..RDMAppweb: 2: Directory: C:\Program Files (x86)\RDM Corporation\RDM Appweb..RDMAppweb: 2: Configure: me configure --nocross --release --platform windows-x86-default --with openssl=C:/openssl-1.0.1h --with esp --without sqlite --without est..RDMAppweb: 2: ---------------------------------------------..RDMAppweb: 2: Loading native module libmod_ssl.dll..RDMAppweb: 2: Loading native module libmod_esp.dll..RDMAppweb: 2: Loading native module RDMDA.dll..RDMAppweb: 2: Started HTTPS service on "127.0.0.1:736"..RDMAppweb: 2: Started HTTPS service on "[::1]:736"..RDMAppweb: 1: Started at Thu Oct 31 14:23:19 2024 Eastern Summer Time with max 1 threads..

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\mime.types (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2881
                                                                                                                                                                                                          Entropy (8bit):4.577137481337325
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:7tDhL6n+lQiaCM6olp/HeDaOrdkQu2lY1XhWWNCLG48h0ccxEH6BTyP66raD8uL4:thLNQrf6qk8/iclKxEarLj65
                                                                                                                                                                                                          MD5:1E2288EE5609BA07EFE10FB9A6EF61B2
                                                                                                                                                                                                          SHA1:E718F9F52DE5AA7AC9B5F72F3A7D6EE9D2326E30
                                                                                                                                                                                                          SHA-256:4AE88DA61C928D6F25503628B8CDAF8288CCC3E493FBD9683CA806D0951274AE
                                                                                                                                                                                                          SHA-512:CB0CEFF46AE4742C66C763A5877251B2490688774C30C48CAC6959BC2352E1F1C6683276FADB844411C474EF6FA51969DDBBE43123D031991883480DF3DF2EC2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:application/javascript js.application/json json.application/mac-binhex40 hqx.application/mac-compactpro cpt.application/msword doc.application/octet-stream bin dms lha lzh exe class so dll jar dmg deb pkg.application/oda oda.application/pdf pdf.application/postscript ai eps ps.application/sdp sdp.application/smil smi smil.application/vnd.mif mif.application/vnd.ms-excel xls.application/vnd.ms-fontobject eof.application/vnd.ms-powerpoint ppt.application/vnd.rn-realmedia rm.application/vnd.wap.wbxml wbxml.application/vnd.wap.wmlc wmlc.application/vnd.wap.wmlscriptc wmlsc.application/x-bcpio bcpio.application/x-bzip2 bz2.application/x-cdlink vcd.application/x-chess-pgn pgn.application/x-cpio cpio.application/x-csh csh.application/x-director dcr dir dxr.application/x-dvi dvi.application/x-font-ttf ttf.application/x-font-opentype otf.application/x-futuresplash spl.application/x-gtar gtar.application/x-gzip gz tgz.application/x-hdf hdf.application/x-kchart chrt.application/x-killustrator kil

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\rdm.crt (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PEM certificate
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1472
                                                                                                                                                                                                          Entropy (8bit):5.885548451022044
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:LrcC5C/hfz7O7nw+U7KjDxYpxN9OBRtsrtt7vl9cprz9R8mUzsRkq2TIKA7HtnXJ:LrcJpfz7Snw+U7TN9O7urb7typImMsj1
                                                                                                                                                                                                          MD5:520E74A2B8D63AE554CD91011694C1F2
                                                                                                                                                                                                          SHA1:EAA9D1A7E63DA0945A94E1983F829BD1D1778902
                                                                                                                                                                                                          SHA-256:4AF8F1EC7A8207BF3BB6CD2C42A4ED5E9C2D0CEEB6D2D88E7B2C9C980ADD1135
                                                                                                                                                                                                          SHA-512:415BB2D409BAE76292766288A771AF47BA84C7849637C6A0EA852F4520117C6C78CFA1AED8658218E79C4A0C69A92DC1F197E8B29757695E701D1E97CFDFFAE5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:-----BEGIN CERTIFICATE-----.MIIEETCCAvmgAwIBAgIJAK5EzyUs5u9CMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTcwNDIw.MjAzMzAwWhcNMjcwNDE4MjAzMzAwWjCBoDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEgMB4GA1UEAwwXbG9jYWxob3N0IC0gUkRNIFNjYW5uZXIwggEiMA0G.CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvfQRrBmdXTR9THaoAbeCyLEW3Rd4x.KOGbIwdYQChU69De4u3tX9q7/IU2G3Kjwk1u6Ga3fu/9SFQfRlm6aFPKtXUZG0XM.9E4dpA/n9q/1cCQVAsf8ZYyBT1OHfRRQuqSr9+/smFpipDbCemhQIf3pO+h0kgyp.yw2V8/qHbZ1GZWWAcyC6awTUE1CfQydNqPz3ODzOBMj8WXjC1BFqzaG2a/34hhjN.d3MLqA/XZRS8nWLKKB4ghaTRp55f1V/tVAt9nPSZ7i/a9WG86mD1IOMiqN7X2RDA.BevkEZvBiy3QeCL8aIoPVNmED1jLD6sDBk5o9ntIRN6FEARYQ285ZnkPAgMBAA

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\rdm.key (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PEM RSA private key
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1675
                                                                                                                                                                                                          Entropy (8bit):6.020979289198149
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:LrddS4E21k97ESwa3fDvYt3fT67NHyuDHXYopF6v:Lrdd1EkkJEufDvkmNt7XYopIv
                                                                                                                                                                                                          MD5:40FE5B7F579DC671E23EEEB6931C1EFF
                                                                                                                                                                                                          SHA1:79B6EA99A4B4FCF6EF91FF12252A8DBD95252AEC
                                                                                                                                                                                                          SHA-256:6EF57ED842EF806919FAE0BD1046D3461618E6F6A89645BAE3DCEE508BBB9F41
                                                                                                                                                                                                          SHA-512:9DB966DD29BAD78BA6DC31CD1A2BE17A02AD0811C89015791B471347461BEB9A80E5C3F9910D7802B94D136A5CF90CD4368987902A360772AF0DB3EBEAB98369
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:-----BEGIN RSA PRIVATE KEY-----.MIIEogIBAAKCAQEAr30EawZnV00fUx2qAG3gsixFt0XeMSjhmyMHWEAoVOvQ3uLt.7V/au/yFNhtyo8JNbuhmt37v/UhUH0ZZumhTyrV1GRtFzPROHaQP5/av9XAkFQLH./GWMgU9Th30UULqkq/fv7JhaYqQ2wnpoUCH96TvodJIMqcsNlfP6h22dRmVlgHMg.umsE1BNQn0MnTaj89zg8zgTI/Fl4wtQRas2htmv9+IYYzXdzC6gP12UUvJ1iyige.IIWk0aeeX9Vf7VQLfZz0me4v2vVhvOpg9SDjIqje19kQwAXr5BGbwYst0Hgi/GiK.D1TZhA9Yyw+rAwZOaPZ7SETehRAEWENvOWZ5DwIDAQABAoIBAC7siuXjTHa3lIyw./egneVGrLOkYsZULjWfiMfCTFzW96JfwrhYu71oc57HUHQ9UwUfKtMyUEK/1Sykh.spR5mQ42/xy7giqPmOOsHuSzvdEvLza/C6KdtLhO8dLkyy3a+nVRUsI86s49grb1.7DahIDfhYQLqmqA8P2G9X1wfH1LXEEvQVs+T6M8vIQbLiJiNhmFC+BMU0ec/7j8m.DF9S1cIp/KtmyRECfiepNaakWvr2HvinhMNg9Lz4HICsfYUX6oM/mlB6hj3jVisp.8/SPepwUQ8mzQhQmXdbrMT0DLosVqgUj2WK/f95m2VzF7PktsagXW0Oqtg2A7FiP.9yB1xYECgYEA5vpJuYw3PPaec+jvm56kxFzO4quctU5tfCuB+gwloYvrACZLY7XN.6Qgk4+xInZtGcVabxhi9xlUlIiTkUf6tDNCsFniWCwRxJfkdB6UxgDP3laJzlZHa.M/2FCVSw56Y3YqRYiqIu9ZSxe572FEp6Q20/nDSR2qF0rd/wLRvox58CgYEAwn/X.cKXk45N60cHFcVQe0wEAj2V505N7mJC2muKNv3b/dcQnl7P65ENU7lS7Fy

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\rdmroot.pem (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PEM certificate
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1574
                                                                                                                                                                                                          Entropy (8bit):5.905699622879769
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:LrcG/hfz7O7nw+U7KjD0GGicvgUvih9DfJJ/GWb6YUOBceQEjY1CkRi8XJ:LrcGpfz7Snw+U7pGVUwBjGWb69OAR55
                                                                                                                                                                                                          MD5:CBF5A63CD967ED0D899F0C6D173C0BC6
                                                                                                                                                                                                          SHA1:FAF581B198C85AB2A57914E21F31BEC7609DC871
                                                                                                                                                                                                          SHA-256:CFD3AD2B4B7F86FFAD7056078F0490291BE71C5E0A0630F1E45DDE452BA5D81A
                                                                                                                                                                                                          SHA-512:E6F268F1581691EC4A4BD6B818CCABFA27BA7F07400F1732003C9E5B26865CAF8BAEC2B2EC4BE52BC0E6A4B51C661E851952E946D7BB5FEF764BB3124A315F8A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:-----BEGIN CERTIFICATE-----.MIIEXTCCA0WgAwIBAgIJAK/4uEUcRr/QMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTQxMTEx.MTk0NjIzWhcNMjQxMTA4MTk0NjIzWjCBvDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEYMBYGA1UEAwwPUkRNIERldmljZSBSb290MSIwIAYJKoZIhvcNAQkB.FhNzdXBwb3J0QHJkbWNvcnAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB.CgKCAQEA501CdfXCdhUItY0JA5Y0MJ/TK/OH5UTVicWn+Knyi0GRGNDIh5N9dDeo.5X21bwACHZtHpWwMiL2PcH+hR0dw2Fmf6zDQBYKGeGy6wU7L0b7S8TbyivGW+Ks9.pS4LRQoKnzY6eF9bIxFhbaUBgbq/KJWxQIm4EOXMSejmgmk/Koh9+7P8jVb9kp1S.9AaVDz45j6b/zTkzzR4EP+GVVozWMZN4whDmE2EprxzcCkxr1GY0mEfHxCjLq2il.rF9Mz6Cr1vL19Gu1HxMbdAJSM1qIAxAG5Xbl9oAPzMUHwzdXpLzj9hfhkzqUFV

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\is-66AM3.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):4995416
                                                                                                                                                                                                          Entropy (8bit):7.998905724333139
                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                          SSDEEP:98304:TsPj6quMBYyuSFOMKykvYgS/ylTpHufHMpPbOZ39c7T3eeom2vJtPShg:wPjzayuSgMKykQgSaTkvMxEYT3OfPShg
                                                                                                                                                                                                          MD5:CEDE02D7AF62449A2C38C49ABECC0CD3
                                                                                                                                                                                                          SHA1:B84B83A8A6741A17BFB5F3578B983C1DE512589D
                                                                                                                                                                                                          SHA-256:66B797B3B4F99488F53C2B676610DFE9868984C779536891A8D8F73EE214BC4B
                                                                                                                                                                                                          SHA-512:D2D99E06D49A5990B449CF31D82A33104A6B45164E76FBEB34C43D10BCD25C3622AF52E59A2D4B7F5F45F83C3BA4D23CF1A5FC0C03B3606F42426988E63A9770
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................L.......... ..................................................."L.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............K.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\redist\vcredist_x86.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):4995416
                                                                                                                                                                                                          Entropy (8bit):7.998905724333139
                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                          SSDEEP:98304:TsPj6quMBYyuSFOMKykvYgS/ylTpHufHMpPbOZ39c7T3eeom2vJtPShg:wPjzayuSgMKykQgSaTkvMxEYT3OfPShg
                                                                                                                                                                                                          MD5:CEDE02D7AF62449A2C38C49ABECC0CD3
                                                                                                                                                                                                          SHA1:B84B83A8A6741A17BFB5F3578B983C1DE512589D
                                                                                                                                                                                                          SHA-256:66B797B3B4F99488F53C2B676610DFE9868984C779536891A8D8F73EE214BC4B
                                                                                                                                                                                                          SHA-512:D2D99E06D49A5990B449CF31D82A33104A6B45164E76FBEB34C43D10BCD25C3622AF52E59A2D4B7F5F45F83C3BA4D23CF1A5FC0C03B3606F42426988E63A9770
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ................................L.......... ..................................................."L.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............K.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\sample.conf (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):22445
                                                                                                                                                                                                          Entropy (8bit):4.756022236735267
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:35QzHCaou+vDy8tRP9v0Di6N9G5q+sP/oppqnd:3SGvprv0Di6N9GM+tp6d
                                                                                                                                                                                                          MD5:077D74570F3BCDFAF1446A1B10AB477B
                                                                                                                                                                                                          SHA1:115F6DBC318962C15400B8EAD9499E8997F9A70C
                                                                                                                                                                                                          SHA-256:ADE6F7E4C5D2B6D1285686ECD968BC4F14AC53E7D568292EA2E4556A81E02072
                                                                                                                                                                                                          SHA-512:63BF51961888A482A5D9727A9E6D2D5A81AA5492E64CBE15E731944E9036BA396D8DAFB22BCBAE58FFB0FCC4C1894BA527AEA06CED0B719319571801FD0BC501
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:#.# sample.conf -- Sample (Maximal) Configuration for the Embedthis Appweb HTTP Server.# .# This sample demonstrates many directives that can be used in an appweb.conf file..# Do not use this file directly, it is too verbose. Rather cut the sections you need.# into your own, minimal configuration file...#.# Server home directory for Appweb to find configuration files. .# Appweb will change directory to this location when it runs..#.# Home "."..#.# Define the logging configuration first so any errors are logged..# This is for errors and debug trace. This log file is for the whole.# server including virtual hosts. Add a timestamp every 1 hour..# This is overridden by appweb command line args: -v and --log..#.ErrorLog "error.log" size=10MB level=2 backup=5 append anew stamp=1hr..#.# Control the tracing of request and response requests to the error log..# This directive defines the levels at which various events are logged..#.# Log rx conn=5 first=2 headers=3

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\ITMSDownloadAgent.html (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with very long lines (608), with CRLF, LF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):25248
                                                                                                                                                                                                          Entropy (8bit):4.535394761469598
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:GxehBcD+eqacKS2MKfeJNzG51IBRXXRuaKlpNAiANMW++Ecq:Gxe/cDGacKS2ri9NBu3Ao
                                                                                                                                                                                                          MD5:41E3D157C9F798864CF43D5D06B1B9B0
                                                                                                                                                                                                          SHA1:A21EEBBBB4731FC3CDDC7D991B0F09DF98CA38E9
                                                                                                                                                                                                          SHA-256:82E4E1E2308985217975220A67F77CA88C5314D6596B936651F1F276C84FE705
                                                                                                                                                                                                          SHA-512:976504083CDA58FE2AEF13B7E8F0F55B37B3AF83AA9A32EAAB0F5282DBA110C8D8B32DF7E270F613113E2B5FC1E2E97CE031F41DD209F438771DA37C28327A37
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>ITMS Download Agent</title>.. .. <script>.. if(!window.jQuery).. {.. // must be loading this page outside of our index page, need to load jquery.. var link = document.createElement('link');.. link.rel = "stylesheet";.. link.type = "text/css";.. link.href = "css/smoothness/jquery-ui-1.10.4.custom.min.css";.. document.getElementsByTagName('head')[0].appendChild(link);.... var script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-1.11.1.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-ui-1.10.4.custom.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. }.. </script>.... <script src="js/RDMFileDownload.js

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\ITMSEndorsing.html (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):11622
                                                                                                                                                                                                          Entropy (8bit):4.857450404916044
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:yfH0r8C1rCUXDcHoHl6mHLCMXTBXcSfcxH0:y/0r8QrCUXDael68LCMXFMSfcxH0
                                                                                                                                                                                                          MD5:5459FAA5C92FBC7A4BABDF42DA898D0C
                                                                                                                                                                                                          SHA1:DC869A04188C349EF196FF28712BE5FF688277EA
                                                                                                                                                                                                          SHA-256:2B06B69E50F0A6208494783389A1982B0A37B3F0DDD998BB75A7F99761ED1A3C
                                                                                                                                                                                                          SHA-512:6BE248A7054DF13EF5FD4ABE668C5449C6F1278E1CBAAFF7E7251C605BB7DFF2C6803A1409466A346335BA844A3D8CFCD09DE57E0152C8FDB6C56F533F51FA6F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>Endorsement Settings</title>.. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>.. <script id="endorsementsJS" type="text/javascript">...... var sharedObject;.... function OnEndorseSettingsPageLoad() {.. if (window.showModalDialog) {.. sharedObject = window.dialogArguments;.. }.. else {.. sharedObject = window.opener.GetDialogArguments(); // callback to get object.. }.... var DeviceID = sharedObject.document.getElementById("DeviceID");.. var configXML = "<additionaldata>";.. configXML = configXML + sharedObject.GetScannerConfiguration(DeviceID.options[DeviceID.selectedIndex].value, false);.. configXML = configXML + "</additionaldata>";.. var xmlDoc = $.parseXML(configXML);.... $physicalEndorsement = $(xmlDoc).find("PhysicalEn

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\ITMSMiscSettings.html (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):15622
                                                                                                                                                                                                          Entropy (8bit):4.652831581163575
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:Oz7Ef0HdBrYjW17UKvyP5FUyWUnndXMNMasqve7mwm1Crxyw4:OsSdBrYjW17UKv65FUyWEndXMarZ4
                                                                                                                                                                                                          MD5:4E586642F7781A6E3CAF7898F93F1FED
                                                                                                                                                                                                          SHA1:40B52B3CF2808073270AFBCCA9830BC395062B83
                                                                                                                                                                                                          SHA-256:CDD71A5656EBF218BB2D94457D2930DC79D81F899B2A3D8A3A1634442554F6C8
                                                                                                                                                                                                          SHA-512:6ADB03888A5B2363AD842738AE4D323EF7E712534FFCAE82B5F2E87106A39EADB12D010261258C480821B0EA3543A6937D77046776DF78B020A9C6D34C7E897B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>Additional Settings</title>.. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>.. <script id="miscsettingsJS" type="text/javascript">...... var sharedObject;.... function OnMiscSettingsPageLoad() {.. if (window.showModalDialog) {.. sharedObject = window.dialogArguments;.. }.. else {.. sharedObject = window.opener.GetDialogArguments(); // callback to get object.. }.... var DeviceID = sharedObject.document.getElementById("DeviceID");.... // disable any invalid options.. chkWantCodeline.disabled = true;.. chkCropImage.disabled = true;.. var ScannerVendor = sharedObject.document.getElementById("ScannerModel");.. //if (ScannerVendor.value != "SCI") {.. // RemoveSelectByValue("ReturnedImages", "front,rear,auxFront,aux

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\ITMSScanner.html (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):43367
                                                                                                                                                                                                          Entropy (8bit):4.531521815386101
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:qxe4deVLSh44rBLEXrGaaNmKS2Cg2sMGgxJTt3g38kos0u6rZjASgLq0w:qxe4DJNmKS2VMNZtuoZH
                                                                                                                                                                                                          MD5:7FA0B7B0DC9284A17618C73FDD20A983
                                                                                                                                                                                                          SHA1:2A2162A4998AC8C3AAE349392E6E9BBF03C9E42E
                                                                                                                                                                                                          SHA-256:44E7EF139E5DFD4EFEE3A806C0C56B45814096CC2183E4E05877FAC5226436B6
                                                                                                                                                                                                          SHA-512:A005D9CED8CBFA903020FFE1E0129F1253B8C7FBE6012884B0C4818F170E9DCE2ED30684FDC353D3ED145FD12FB43E76691F5A49A1128D5AD42AAA1197CE1C06
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <title>ITMS Scanner</title>.. .. <script>.. if(!window.jQuery).. {.. // must be loading this page outside of our index page, need to load jquery.. var link = document.createElement('link');.. link.rel = "stylesheet";.. link.type = "text/css";.. link.href = "css/smoothness/jquery-ui-1.10.4.custom.min.css";.. document.getElementsByTagName('head')[0].appendChild(link);.... var script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-1.11.1.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-ui-1.10.4.custom.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. }..

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\ITMSScannerCommandTest.html (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3838
                                                                                                                                                                                                          Entropy (8bit):5.088460692091686
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:BeuhLvClxA2HwBuE/Yjw/2lg6Y182BoNBdutalj2lxArHw32ly6Y182BoNB6kY0w:BJvl5BuU22QrpE32oQOK2ghdfgBfp
                                                                                                                                                                                                          MD5:F108F9ADD9825EB6AAE9F5297536C2C9
                                                                                                                                                                                                          SHA1:EF4D740B1105D5206978D34792E872D3A8A407E9
                                                                                                                                                                                                          SHA-256:3E7398F9667561DD5FB5CD0A1F5D5D0DF8A7F35D727B0019A21E10961A77B542
                                                                                                                                                                                                          SHA-512:B5B3C624E99C8AC61EB3E0B96F3A36D5ECA484D4BD33235667053CEF26C57FFEF3107859CB38939EB3F999ABF2A59CF91029985D1DDD689EACFBB70211C630E9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<html>..<head>..<script language="JavaScript" type="text/javascript">.... var SCM_Test_User="SCM_Test_Command";.. var SCM_Test_Host="https://localhost:736/SCM/4.0/scm.esp";.// Default......function scm_cmd_post(func, parm) // Post async request and let event do update..{.. var hr = new XMLHttpRequest();.....// Access the onerror event for the XMLHttpRequest object.. hr.onerror = function() {....alert("Error: Failed Accessing Device Interface !!");...}.... hr.open("POST", SCM_Test_Host, true);.... // Set content type header information for sending url encoded variables in the request.. hr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");.... // Access the onreadystatechange event for the XMLHttpRequest object.. hr.onreadystatechange = function() {... if (hr.readyState == 4 && hr.status == 200) {.... var return_data = hr.responseText;.....document.getElementById("txtTestResponse").value = "Async Post Result:\r\n"+return_data;...

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\SapiSample.html (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):42675
                                                                                                                                                                                                          Entropy (8bit):4.637657121816673
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:iLFkJLEsm17ztfMlzzCqd3R0WgrOMSKP/3Sx9TbUkcCDESxDME/Ogr+GN5J6eZ36:iLFQyQ394k5DX+/s8FAdVghXFi8NifMF
                                                                                                                                                                                                          MD5:CFE3EFB0072A24800CE4CD451B1908EF
                                                                                                                                                                                                          SHA1:E4E910E982F559E8B98E37C7303DE15DD7B88FEB
                                                                                                                                                                                                          SHA-256:FD62ACB879187BC4754E692109F0A6C4A11CBD0258992AD4159E2A3AB0B27BAE
                                                                                                                                                                                                          SHA-512:198237443B841DDC84BFEC25B79885BBF1B5D49F15783BFE8DE351E4AE72B2276C37D335417E90C549E4E7A9A0C19FFA738C0190864FACBF9BD484DDBEA99783
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!doctype html>.<html lang="en">.<head>. <meta charset="utf-8" />. <meta http-equiv="Content-Type" content="text/html;charset=utf-8">. <meta http-equiv="Cache-control" content="no-store, no-cache, must-revalidate">. <meta name="description" content="SCM SAPI Scanner Test for QE">. <meta name="author" content="Frank McGovern - RDM Corporation a Deluxe Company">. <style>. #RecoveryDiv {. width: 720px;. padding: 5px 0;. text-align: center;. background-color: lightblue;. margin-top: 5px;. }. </style>.. <title>SCM SAPI Scanner Test</title>. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>. <script type="text/javascript" src="js/jquery-ui-1.10.4.custom.min.js"></script>. <script type="text/javascript" src="js/sapi.js"></script>. <script type="text/javascript" src="js/sapiconstants.js"></script>.. <link type="text/css" rel="stylesheet" href="css/qescm.css">.. <s

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\ADKSCI-7.1.css (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2693
                                                                                                                                                                                                          Entropy (8bit):5.04899888145215
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:WtWxeBwedOzuw9nvl3Go2nXBCuRBLvump4NDCGd+jEBN9aJ07WmcWdCLv93gz:WE0Yl4nRFL4NDCGojouJduglW
                                                                                                                                                                                                          MD5:13D4B9D21C71A89FC9EA4C351910F2E2
                                                                                                                                                                                                          SHA1:0AF352061C6C29F10398B0F8E2FB3B2B3DA6B072
                                                                                                                                                                                                          SHA-256:E8A691D35F929C64B5BC604BA580F35D531419493CE8CFB781EF13AEB6E019D2
                                                                                                                                                                                                          SHA-512:BD0D0F8BFAEA198D73A3D68BE315F623171985CBB27A1248FBE8A31CAE72FB97FA6D0ED10E10BEDF5D9DACBA87CE3656E2F0855339638A25E111D185E9D23480
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:* html body{}..html{}..body{...width: 100%;...height:100%;....padding:0;...margin:0;...font-family:helvetica,sans-serif;...background-color:#f2f2f2;..}....li a{...outline:none;..}....#wrapper{...min-height:100%;...position:relative;...background-color:#ffffff;..}....#topNav{...color:#ffffff;...background-color:#002341;...height:32px;...width:100%..}....#topLink{...list-style:none;...float:right;...margin-top:7px;...margin-right:120px;...font-size:15px;..}....#topLink li{...display:inline;...margin-left:20px;..}....#topLink a{...display:inline;...color:#ffffff;...text-decoration:none;...padding:7px;..}....#topLink a:hover{...text-decoration:none;...color:#ffffff;...background-color:#085472;..}.....inner{...max-width:960px;...min-width:480px;...margin-left:20px;...margin-right:auto;..}....#topBreak{...width:100%;...height:100px;..}....#topLogo{...margin-top:25px;...margin-left:25px;..}....#mainContent{...min-height:100px;...max-height:1200px;...width:100%;...background-color:#ffffff;...p

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\is-JC00K.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2693
                                                                                                                                                                                                          Entropy (8bit):5.04899888145215
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:WtWxeBwedOzuw9nvl3Go2nXBCuRBLvump4NDCGd+jEBN9aJ07WmcWdCLv93gz:WE0Yl4nRFL4NDCGojouJduglW
                                                                                                                                                                                                          MD5:13D4B9D21C71A89FC9EA4C351910F2E2
                                                                                                                                                                                                          SHA1:0AF352061C6C29F10398B0F8E2FB3B2B3DA6B072
                                                                                                                                                                                                          SHA-256:E8A691D35F929C64B5BC604BA580F35D531419493CE8CFB781EF13AEB6E019D2
                                                                                                                                                                                                          SHA-512:BD0D0F8BFAEA198D73A3D68BE315F623171985CBB27A1248FBE8A31CAE72FB97FA6D0ED10E10BEDF5D9DACBA87CE3656E2F0855339638A25E111D185E9D23480
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:* html body{}..html{}..body{...width: 100%;...height:100%;....padding:0;...margin:0;...font-family:helvetica,sans-serif;...background-color:#f2f2f2;..}....li a{...outline:none;..}....#wrapper{...min-height:100%;...position:relative;...background-color:#ffffff;..}....#topNav{...color:#ffffff;...background-color:#002341;...height:32px;...width:100%..}....#topLink{...list-style:none;...float:right;...margin-top:7px;...margin-right:120px;...font-size:15px;..}....#topLink li{...display:inline;...margin-left:20px;..}....#topLink a{...display:inline;...color:#ffffff;...text-decoration:none;...padding:7px;..}....#topLink a:hover{...text-decoration:none;...color:#ffffff;...background-color:#085472;..}.....inner{...max-width:960px;...min-width:480px;...margin-left:20px;...margin-right:auto;..}....#topBreak{...width:100%;...height:100px;..}....#topLogo{...margin-top:25px;...margin-left:25px;..}....#mainContent{...min-height:100px;...max-height:1200px;...width:100%;...background-color:#ffffff;...p

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\is-UAKFR.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):677
                                                                                                                                                                                                          Entropy (8bit):4.695614879709572
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:UgOIOw2saGoBPjKzoGDvxl3N/ar/rJRnEmlaX6VFBTe6NIZ:7yjPylaMAk
                                                                                                                                                                                                          MD5:1F0FC0CD5EAF79E6418F468D9CC6678A
                                                                                                                                                                                                          SHA1:0FADFFC0A4871C634C8DBDCC07B76970B3865E40
                                                                                                                                                                                                          SHA-256:18FEB6098A29EB0CB98BEA31049D01FC616C430F7BB0A2203277B6C173ED1B3C
                                                                                                                                                                                                          SHA-512:0670DA5463F046889AB3A14BA97541E9A0E6183E3D25F1EDB0F7E9AAD5C2C382138A9115711FCF30B60D3DCCC7A90B50CCDF9367AB606DF77682A4A95A11292C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/* Style the tab */...tab {.. overflow: hidden;.. border: 1px solid #ccc;.. background-color: #f1f1f1;..}..../* Style the buttons that are used to open the tab content */...tab button {.. background-color: inherit;.. float: left;.. border: none;.. outline: none;.. cursor: pointer;.. padding: 14px 16px;.. transition: 0.3s;..}..../* Change background color of buttons on hover */...tab button:hover {.. background-color: #ddd;..}..../* Create an active/current tablink class */...tab button.active {.. background-color: #ccc;..}..../* Style the tab content */...tabcontent {.. display: none;.. padding: 6px 12px;.. border: 1px solid #ccc;.. border-top: none;..}

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\qescm.css (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):677
                                                                                                                                                                                                          Entropy (8bit):4.695614879709572
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:UgOIOw2saGoBPjKzoGDvxl3N/ar/rJRnEmlaX6VFBTe6NIZ:7yjPylaMAk
                                                                                                                                                                                                          MD5:1F0FC0CD5EAF79E6418F468D9CC6678A
                                                                                                                                                                                                          SHA1:0FADFFC0A4871C634C8DBDCC07B76970B3865E40
                                                                                                                                                                                                          SHA-256:18FEB6098A29EB0CB98BEA31049D01FC616C430F7BB0A2203277B6C173ED1B3C
                                                                                                                                                                                                          SHA-512:0670DA5463F046889AB3A14BA97541E9A0E6183E3D25F1EDB0F7E9AAD5C2C382138A9115711FCF30B60D3DCCC7A90B50CCDF9367AB606DF77682A4A95A11292C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/* Style the tab */...tab {.. overflow: hidden;.. border: 1px solid #ccc;.. background-color: #f1f1f1;..}..../* Style the buttons that are used to open the tab content */...tab button {.. background-color: inherit;.. float: left;.. border: none;.. outline: none;.. cursor: pointer;.. padding: 14px 16px;.. transition: 0.3s;..}..../* Change background color of buttons on hover */...tab button:hover {.. background-color: #ddd;..}..../* Create an active/current tablink class */...tab button.active {.. background-color: #ccc;..}..../* Style the tab content */...tabcontent {.. display: none;.. padding: 6px 12px;.. border: 1px solid #ccc;.. border-top: none;..}

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\animated-overlay.gif (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:GIF image data, version 89a, 40 x 40
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1738
                                                                                                                                                                                                          Entropy (8bit):7.502920326603858
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:sGz2pFNTXqQcDpLTEejbYLIGAvYdq52UdgOjWTiTkb9NFw/y0tcsE:7ShTXqQK+ePYLIGQhgbykpvydtnE
                                                                                                                                                                                                          MD5:2B912F7C0653008CA28EBACDA49025E7
                                                                                                                                                                                                          SHA1:16FD304B0511EB4792545FF12A53C9C19F98FDF7
                                                                                                                                                                                                          SHA-256:C7BCC76FB23C0430B36EC448EB79F8BC34129DAE95DA10F3C14ED0EACDF2F1B9
                                                                                                                                                                                                          SHA-512:AB9701F82DADB01092AD78BDA4028E6E695F5CA2C7D2E27CB1D46E8E648BBD73E2A148C52927E9A4EB80ECCDB563FC3FD34CDF55B60ADE6153CBA29122859FB9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:GIF89a(.(..........!..NETSCAPE2.0.....!.......,....(.(.......z....KN...Y#......7.)z.......v[3....x..Pw..Ea..F.Of...V.Ye.||/..X\...Wr..o.$..m^..K0>.'.$u..f...6G....'Xg.5..5.....)9.):ZiYJ....y.Y..!.......,....(.(........}...Q6...a....._y.#.i.j.K.-|..K3^.....Pw..&KO..=7IfTz.LMYh.....cdX\1..ie..a.. ..}...wl.....5..Cg..GB.....)..'..hY9..IHy....YjZG.h'j85...P..!.......,....(.(........m...Q6.,.@o.-`.u$.>.I...z/...6.9~[....^O.......t6.Ac.:......v.N?cUX|.f.&6x......_~..G........(b.....8.X..%.x7IX..I9x......(I:.Y*.XYv..P..!.......,....(.(.....o....;.MZ..Y.|......([.....9.9......1`P.2...!.H.>oQ..W.^..d..s..c2...*Si.y.....x.[..s.^...VGW.wg...........x.Y.8I.I...yIZj.....)X.f).:.R..!.......,....(.(...........CqMZ..Ym.5W(..F~..'..-:.|......1p?..X...1d.F.SL.q...n..e^.A..<.V!......V..\..d=...v'....wh8...8hW......H..........I.y.F.Yi.Y:)y.z.*.IzT..!.......,....(.(...........;.MZ.E9m.m.'.exf..V+z.Mk.u.O.....i.3\..2...bQwt.. ...b..e.+M~.Hq.;....0..nC.[y....c

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-5KS58.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 40 x 100, 2-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):212
                                                                                                                                                                                                          Entropy (8bit):5.38272561855122
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPnHvll2VztlN4EYyzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7vHWVztlyENzS+f3E52EML3Eflz
                                                                                                                                                                                                          MD5:BE7FFA4D7FFD17E1D89F40F855FF4BDA
                                                                                                                                                                                                          SHA1:F0FE1D67D4987DE9CF39A4411A198B17E4555C55
                                                                                                                                                                                                          SHA-256:EF819A83D74E67F3354676FF3A3077F01B1BE9CFD17D26655EA32874C1B094E8
                                                                                                                                                                                                          SHA-512:ADDDB90BE4BA90C48A9A0E39D12ED0159F15D3DB69B36F511D740A7DFB2BFB2FB33C21BAA0D8D403B3C6F3153CCB719B771909013097B389BE82EA448AF5E30F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR...(...d.......5.....bKGD..3.r.....pHYs...H...H.F.k>....IDAT8.cX.....Q.(s.I....I./ZW.....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-BTI0I.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6922
                                                                                                                                                                                                          Entropy (8bit):7.940828041549464
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:EtbmwCm38cHXpuWxCxISffIuZ/vTwcZMCCn7/totek2HAqcRln2cM3+gpDR:AqdmzXpMbxMCK76tdqAZje+8N
                                                                                                                                                                                                          MD5:A1B3887A86CF1791F23C0B53B4D3585F
                                                                                                                                                                                                          SHA1:692A53CAD7F748BC7B691B98B9116CE3269CD22B
                                                                                                                                                                                                          SHA-256:3B1AC036763D3A59C88578486AE698D22A37DD2D46A553485E1EABB9FE255B3F
                                                                                                                                                                                                          SHA-512:A055B57AE02D64DD85EFED7EC939B8A50A35F85F18D1DE3245A9D634C9A613EE29CFF401BCBE222321A46AA77AB0EA705E917EC57A58B08002F55D2090B7AC71
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR.............E.r@....bKGD."..b.....pHYs...H...H.F.k>...'IDATx..{he.}.?g.....{..1.)......]K&qq.U.4k.biK.R(H...B..P(I.vJ._....IV.@.nB.5i.N...i.G.jq.&.~A#Q.....rX'.....9.:..{.3.E{.=.y.o~3g~..Mp..&.....1Xx.h8<...#dl..Mx..1.&..$..5..~...V.....c.$.......,..........i...N:.Z....Y...>.."..B...H!...........-..C.u.8t..}....8.!.B...*.OF...[.a...l...B&......1h.>..M]hN...4MAb....!(..h.E.1.5j.cO.<6.e7..,e...S(..f..o.16+3.y.JR.|.{.^3.^.....{.88..........~'.....px.h8<.4.........g............2..n..6e.......{......Q.......p...P.A..i...f.S.....(..D..'.L.6=......T:s...f.q...l....c.I......=.i...M.>...LN{.U..&.......&...{u...o...........4.~#.....px.h8<.4.........g.......p...^i....../.0.....TW..c.......Q.... .@)..y...u}`L...Uc...%T..................A..R..@.?..P.-`....BKl..b.....Z}.............uJ....%U.].K2..e..ts.Y...@,e.e.....r..jc.s...M..n..0.A...mP..y..D.K(5.,...lN.&b.D.m..rwYDV....t..e$.......L......[..C..0O...P...&..0.....+..;...g...3@........px.h8<.4

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-DCJ96.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 40 x 100, 1-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):208
                                                                                                                                                                                                          Entropy (8bit):5.441070699788578
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPYOljVztlNQkn7DvF2zgN+u+3dftGRxEML3dfttp:6v/7PxtlGqDvkzS+f37GEML37D
                                                                                                                                                                                                          MD5:79D203EB970FDEE9B5FEE9DD3DCBC573
                                                                                                                                                                                                          SHA1:E931594A1BE4241B4923C328C6E5061B9F0D0A4B
                                                                                                                                                                                                          SHA-256:3C6BCFE102425A0E8CAA4A268C148F9D10E9C65B5277FC026299356EBD17C1DE
                                                                                                                                                                                                          SHA-512:B40428CCB942FD8C5592EDC0343D3E5C2EA9EF4160F4580E23039DAA8AF5C34F507E58A36993BC7F77712441A687DFC7C203723D0BBF0E411D80DCF00F6C15F2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR...(...d.......O.....bKGD.........pHYs...H...H.F.k>....IDAT(.c......(IU........{...%tEXtdate:create.2014-01-19T18:55:12-08:00.M.R...%tEXtdate:modify.2014-01-19T18:55:12-08:00........IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-FADI3.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6999
                                                                                                                                                                                                          Entropy (8bit):7.9356094432043145
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:0H63l6XnD/aZzXcHhG8RL8h8xnJ4f8lKoQpID8Dj:33qbaZzXUnYh8lJ4fsgIS
                                                                                                                                                                                                          MD5:302AE7A7AED5730C16146B677B123638
                                                                                                                                                                                                          SHA1:D0144B794640E1126F782B5332C8539FE2D3AEF4
                                                                                                                                                                                                          SHA-256:E2D1B1C7C51F8C30431327FE43029D62B6D5DFD2D95BBD6B8B9929C178DBA4BF
                                                                                                                                                                                                          SHA-512:B65B0DCE5A2B0348F51E2D41E07A3A7B11F051E3A0517B5DD2EA2327C2E2DF0908CFA33597B34B2D1C89D6BFB91C9F432A564233DD9D763CEAC67A751B618378
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR.............E.r@....bKGD..I.( ....pHYs...H...H.F.k>...tIDATx..{le.}.?g..k..u...J.>D.C.^.Q...M..H..*MU...h.(*$H...R.*j...D.].....)..(M6..F.6!6..-..xI...i.-.. HN.8..s.u....g......f....7..3........7..x..^.../.2&...v&v.^.DL..l6I..-..o?...cn...D Iy.e.#d.0+.0.3..~.......0.g'L.V...[...R.C:B..~(...)$q.vX.u.B@...E@`H.N.G.....`TA.%=].qA.w..J)..u).9.:e.9d.`V..0.A{..=..BS*.....S..gF.A....-(D...R.@..".....g'.U.,eS.w.......j...*.)l.[.....HLy....9......j.a.I6..MR.~...~..nG....3........@........px.h8..4.~=@>...(...mE...3a\.`~..=u.....Q.....[..f.3W..A...i..oK}3w..gV........,.j....n2..*....m..M..].y=..xn"..co....L"..7]...EC.:d..H.z.E@W...f+^.e.6v.E4..O...`.......)l..:..7.....){._.....~".....px.h8..4.^.../......./..#..\@..S..^.T.0s.Zs.1.J..1.Pr....h.w...V..E.g....S..T..Q5.[.\B...O.`+..>}....\...6.../0..k.g...1[..Kh.....l.X....._.Z.^IA......^.N..4v...OW=%i^.<...9.t.f .2.......B.Hg.6....!u..\.Z..&.....2....s....U.]..i.T..... ..]..Ua.q;].A...:.r.G-3.<.F..n

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-G8IJ3.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):4549
                                                                                                                                                                                                          Entropy (8bit):7.7588806674823365
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:gezHbJHvBKzqOmbEiFaEn4L0347j+MZdJdaDgEz3iXPR:gebVPOjmYBL0o7j+AdJQgEza
                                                                                                                                                                                                          MD5:5C78585B80FBF4342D21674A04E89C8B
                                                                                                                                                                                                          SHA1:BA54B02521C09485695A9F409BA3E6FF7EDE90AD
                                                                                                                                                                                                          SHA-256:003822ED55AD9191E071798370E41363A617B138EAE18623AD9D864CA5F357CE
                                                                                                                                                                                                          SHA-512:77B280FAB498352647A1271A7B9E1D7A54EA3E30838A780BA2DB649ADDF7E8BBADACAF0A00BFA37BA7E7EB3084E90810451E8ECEC2647D3917507EFD17B90CDC
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR..............IJ.....PLTE..............................................................................................................................................................................................................................................................................4.v....YtRNS...3..P.../"Uq@f`..2..!<.BHK .Z#'1S,.4...j...8E....|.........)...Q$.......b.J..m.Gc?o..h.@^.....bKGD....H....pHYs...H...H.F.k>...dIDATx..].c....H..].K....d..%....lm....w].....|.p..X..m.-....}<.w.(....1.$...;..F.@..%..?......B,..L.h{.t...#....T@./?.j...9..m..N. #...+`....`..I....._.-s..U0..M...[...s..4`x.....#....D<....~...K....4.]`..PDDDDDD.q......Ek@....A...~.*.....!Y...X...`.hv3\LX...Ot.J.2.b..l.QI<.... ...6..-X.l..6..H..|=j..`E.iq....Cv:..q............C?.?.....x.,..r*t..}|;.kP.4....d.Y....f....K..~[.>.X:+.i.......QV.9.\.....e...'...A.tO.S.:7..2.....YsxM....B....&....z.>n.C...@..r@...*.a.....%...MFDDDDDD.T.....H,...E....RU..n....<..V-.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-GR1CA.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:GIF image data, version 89a, 40 x 40
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1738
                                                                                                                                                                                                          Entropy (8bit):7.502920326603858
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:sGz2pFNTXqQcDpLTEejbYLIGAvYdq52UdgOjWTiTkb9NFw/y0tcsE:7ShTXqQK+ePYLIGQhgbykpvydtnE
                                                                                                                                                                                                          MD5:2B912F7C0653008CA28EBACDA49025E7
                                                                                                                                                                                                          SHA1:16FD304B0511EB4792545FF12A53C9C19F98FDF7
                                                                                                                                                                                                          SHA-256:C7BCC76FB23C0430B36EC448EB79F8BC34129DAE95DA10F3C14ED0EACDF2F1B9
                                                                                                                                                                                                          SHA-512:AB9701F82DADB01092AD78BDA4028E6E695F5CA2C7D2E27CB1D46E8E648BBD73E2A148C52927E9A4EB80ECCDB563FC3FD34CDF55B60ADE6153CBA29122859FB9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:GIF89a(.(..........!..NETSCAPE2.0.....!.......,....(.(.......z....KN...Y#......7.)z.......v[3....x..Pw..Ea..F.Of...V.Ye.||/..X\...Wr..o.$..m^..K0>.'.$u..f...6G....'Xg.5..5.....)9.):ZiYJ....y.Y..!.......,....(.(........}...Q6...a....._y.#.i.j.K.-|..K3^.....Pw..&KO..=7IfTz.LMYh.....cdX\1..ie..a.. ..}...wl.....5..Cg..GB.....)..'..hY9..IHy....YjZG.h'j85...P..!.......,....(.(........m...Q6.,.@o.-`.u$.>.I...z/...6.9~[....^O.......t6.Ac.:......v.N?cUX|.f.&6x......_~..G........(b.....8.X..%.x7IX..I9x......(I:.Y*.XYv..P..!.......,....(.(.....o....;.MZ..Y.|......([.....9.9......1`P.2...!.H.>oQ..W.^..d..s..c2...*Si.y.....x.[..s.^...VGW.wg...........x.Y.8I.I...yIZj.....)X.f).:.R..!.......,....(.(...........CqMZ..Ym.5W(..F~..'..-:.|......1p?..X...1d.F.SL.q...n..e^.A..<.V!......V..\..d=...v'....wh8...8hW......H..........I.y.F.Yi.Y:)y.z.*.IzT..!.......,....(.(...........;.MZ.E9m.m.'.exf..V+z.Mk.u.O.....i.3\..2...bQwt.. ...b..e.+M~.Hq.;....0..nC.[y....c

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-HLMN4.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):4549
                                                                                                                                                                                                          Entropy (8bit):7.787336530544679
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:eezHbJHvBKzqOmbEiFaEn4L0347j+MZdJdaDgEz3iXPR:eebVPOjmYBL0o7j+AdJQgEza
                                                                                                                                                                                                          MD5:764C37EFBF6D7FFC176B466FADC6F2CA
                                                                                                                                                                                                          SHA1:A57A7F1775369985C3335C351575DF127C6CFEA2
                                                                                                                                                                                                          SHA-256:3D3E274632C78C97B550BB7D2291462E2584F523A15CDC1B9535E7BFABD0CE30
                                                                                                                                                                                                          SHA-512:206A63D9A0B0A4DB870FD927C8E6AB4E2C890A9F3ADACB6B43B6B735D45FE62D92A2B91003C176D7D6DDFA076BB6E6DDDB3A8520F1030BE64877214288CD0F62
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR..............IJ.....PLTE.................................................................................................................................................................................................................................................................................o...YtRNS...3..P.../"Uq@f`..2..!<.BHK .Z#'1S,.4...j...8E....|.........)...Q$.......b.J..m.Gc?o..h.@^.....bKGD....H....pHYs...H...H.F.k>...dIDATx..].c....H..].K....d..%....lm....w].....|.p..X..m.-....}<.w.(....1.$...;..F.@..%..?......B,..L.h{.t...#....T@./?.j...9..m..N. #...+`....`..I....._.-s..U0..M...[...s..4`x.....#....D<....~...K....4.]`..PDDDDDD.q......Ek@....A...~.*.....!Y...X...`.hv3\LX...Ot.J.2.b..l.QI<.... ...6..-X.l..6..H..|=j..`E.iq....Cv:..q............C?.?.....x.,..r*t..}|;.kP.4....d.Y....f....K..~[.>.X:+.i.......QV.9.\.....e...'...A.tO.S.:7..2.....YsxM....B....&....z.>n.C...@..r@...*.a.....%...MFDDDDDD.T.....H,...E....RU..n....<..V-.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-KVSDU.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 400, 1-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):207
                                                                                                                                                                                                          Entropy (8bit):5.421473036166773
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPh3DVztlNLyjl2XIzgN+u+3dfP6tgg2EML3dfP6uup:6v/7JBtlxXIzS+f3p6tgg2EML3p6j
                                                                                                                                                                                                          MD5:B790D06E1309EDF0A735331A2D2EB539
                                                                                                                                                                                                          SHA1:16ADC28CB33F544C1C88103421F091B62EFA2FD6
                                                                                                                                                                                                          SHA-256:DA621753D6DF757A81DD67C656B8B71E0A43067D3EBB3F46715A704C734CA35C
                                                                                                                                                                                                          SHA-512:AA15D5F1BF4D8680AF67AE377251AA876AB8541899ABFB89539D3632D948BF9BC5A93E5057CD8FFF240AB19AD5CE750B51D004F6344E960E501AD385C6480A49
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR.............G#7v....bKGD.........pHYs...H...H.F.k>....IDAT(.ch`...p....h...4.i...%tEXtdate:create.2014-01-19T18:55:02-08:00.......%tEXtdate:modify.2014-01-19T18:55:02-08:00...p....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-NIP6I.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 400, 16-bit/color RGB, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):332
                                                                                                                                                                                                          Entropy (8bit):6.459714673231968
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPh1rZTp5mtlNYkx7GFaO29kJ/iNB9o7+2vEK9ZfES5lB2zgN+u+3dfWVd6c:6v/7J1rZVQtlOnwk1em+2vEKvEA2zS+c
                                                                                                                                                                                                          MD5:44606DD4F249740D494943643B1C8718
                                                                                                                                                                                                          SHA1:BEBC84E5BB020065A1D790101B9345AA21EC7633
                                                                                                                                                                                                          SHA-256:EF724E84645EF2DC9769BDDCB6FE832407372A4740C6AEF3E25AEA2AE6F51853
                                                                                                                                                                                                          SHA-512:7B73C187AA88FF5CE5671D620D9F8933A3B5ED04F95929970A7F785F50232AACE33E5135EA242A2C89339D750437B0B40D12928B7CD768A008D743FBAAF73590
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR...............A.....bKGD.......X......pHYs...H...H.F.k>....IDATH.....a........\!V....J#X.....D}.....f.>....>...P..x...x......q....u...q...f.+..6....[..\.......W.T4r...6:.]V:...,.(....8..y.G-(d...H...%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-RM0BU.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6992
                                                                                                                                                                                                          Entropy (8bit):7.9272661175047565
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:LZYGBeZMj+hjoHCZi6hO7IEyv46uByg78SmVNN2AxGiaiBK+aOvAdCO6cIi29TvE:LRj+h1tkIz46uhhwNNlGiaiBKmA4Uw2Z
                                                                                                                                                                                                          MD5:6B29E362591A05E270B33C4FC3F67CB2
                                                                                                                                                                                                          SHA1:6CB0B3A5C3CB2EE9FBAEF3CB156C06BB4F15FC82
                                                                                                                                                                                                          SHA-256:A8D28E2D83A807B2B86ED2A02E31086F6C0718DFA96E0BA6A4577B657F69CC34
                                                                                                                                                                                                          SHA-512:B73EB60C9B76FD504D46E5844673D9624C1A62A1F0C099F3C79242AEF4856C40CE6B97E38DB713CCC5E131D6C02615E90127350610A0A4D49959E56C940C6813
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR.............E.r@....bKGD.E.;.-....pHYs...H...H.F.k>...mIDATx..{leG}.?g.K..$.....U.!.>T....J..i6A".V..R%;.."...*UP).../......z..RJ..F....QP...z..BQ.H.VU.........5s..9..^.3...{~....7s.7...<.......`...... c...A.b/..@..[.V.D...0..3AX9..0.N...._..B.......&...>~..>..c.;ab..D..E......Q.z..'k...M.ay......6..!.:u.:..:@R....B.yDD....'.L..-.f.]S..q.!..f...S....Q.&..S..7MC..r==3d.J...{...f.Z...S0.Ms..:0K.g........&H.U.=.mc.4.i?U..G..U4.hc..Qb....].!..hL...W.../........@........px.h8.~.|.A...Qf?....1f......=u.....Q.GJH...p....P.I.w.m.....>2.....".W.P&{..n....T:s...f.q...H@.....c.I.......~.S.s+.^|B.n.29..d..H.......]..v.-.-m.e.h.>..........q&....g..9x.#c..n..~!.....px.h8..4.^.../.......o..#..Z@..S....^..4. K.ZKP..d.9...C@.F[.......,..a+......]8..v..K..q.H.l.w9...84.K.B...|..&...#..[.\C.....`..R..!.....:.F.z..C...6..)A....T1wU.I..!4..ig.3w.............E:..q7.......n..0uA...mP..y..T.K(5....lN.b.T....rw.DV.]..t..e4...7....L......[..C..0....P...&..0

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-S3H02.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 400, 16-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):262
                                                                                                                                                                                                          Entropy (8bit):5.951536690657124
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPh8EFtlNeMI2WoVk08K6x2zgN+u+3dftGRxEML3dfttp:6v/7JptlUM4oVN8KhzS+f37GEML37D
                                                                                                                                                                                                          MD5:5AA0A5172050CF33EE52543E2A39F650
                                                                                                                                                                                                          SHA1:353190E4DDA3C63D693BCA9DEC6ABCD092796322
                                                                                                                                                                                                          SHA-256:A0FCE4E506385D26CD1DD95EB2CA995C9541DD43153159C8313F32A3A0374792
                                                                                                                                                                                                          SHA-512:D0D82FCAA75C6EC976B63B11169F266903EB6DDD15B44CEC1C2F5A9BD9654F446AE17D0EF7526C263EFE753E6B39F46906F595FBAEA8543976F7493DB757BE36
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR................D....bKGD....1.....pHYs...H...H.F.k>...HIDAT8.cx..0.F...g.....ax1..e&.8..!.ob..2..fx......#3......>...QD....@.$..5o...%tEXtdate:create.2014-01-19T18:55:12-08:00.M.R...%tEXtdate:modify.2014-01-19T18:55:12-08:00........IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-SHV89.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 100, 16-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):280
                                                                                                                                                                                                          Entropy (8bit):6.115389891689244
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPeNkFtlNokzySWow3tumS4E8U0xzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7WNEtl+LZoat3S4e0xzS+f3E52EMa
                                                                                                                                                                                                          MD5:443BD890A55AD6B7E5FC5383F730A44C
                                                                                                                                                                                                          SHA1:D18316E7AFC637F466687831C460A8B767615776
                                                                                                                                                                                                          SHA-256:E8CFB6E4753C0E1ED877146B6F497A733EEDCDA8BE4264C91A191204DFD9FB94
                                                                                                                                                                                                          SHA-512:B0B792C2EC487A0007F8F27FEA0D8DE9EF149092461E8334A433EB8F3CD6BE86A46EA53FA40CA84D9A3B384803AAD144573B4CD88CBBE9A09E0A98D11630E9D5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR.......d.....2.......bKGD....1.....pHYs...H...H.F.k>...ZIDAT..cx|..Nh.........2<hc._.p/..n,....[_.n.g...p=.......w2\je.X.pa...&.s....b8..p...".....Y{....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-T8IOE.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 400, 16-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):262
                                                                                                                                                                                                          Entropy (8bit):5.967325013380225
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPh8EFtlNeEvLpLa8qtqDUblKzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7JptlUILUPtylzS+f3E52EML3Eflz
                                                                                                                                                                                                          MD5:557FC2338A04EEEF50F3C7D45DDE2F98
                                                                                                                                                                                                          SHA1:05EC73A146736833B10B068CC948A87DFDB29CBA
                                                                                                                                                                                                          SHA-256:2F840CC0DE69EC024C62422982CB1336FCC580BD1AA1AA20BF1F5C7DE9A08BBF
                                                                                                                                                                                                          SHA-512:E65F56FD50B3D735D9271A0D321388BE4713518E8C26057C7487C704191CE0BD6981D4F5F77E3FBCBE646C738F125D394047D9E0B79F26ECF4F6E30245AAC44C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR................D....bKGD....1.....pHYs...H...H.F.k>...HIDAT8.cx..a.."..[..n{1.qc...po"..?..3..}`xR...1.s?....^^bxu..u)..h.....W.%R..|...%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\is-V3513.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 400, 16-bit/color RGB, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):335
                                                                                                                                                                                                          Entropy (8bit):6.506923664922411
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPh1rZTp5mtlNg7cZPJdE0CDRGnmQflByQL4xzgN+u+3dfWVd6q2EML3dfWn:6v/7J1rZVQtl5gR8nBtx4xzS+f3E52ER
                                                                                                                                                                                                          MD5:83DB3DC94C956A82963FDF628F9D8759
                                                                                                                                                                                                          SHA1:CFF216A08143F03C8636DDF90A726726D7091682
                                                                                                                                                                                                          SHA-256:577C14708886C14A477778473401F82C713E81678BAFC84A7F6FE8E1BAD51148
                                                                                                                                                                                                          SHA-512:6AAD50376B828DB160396517EBB256FE36A8648EECD9929A133C4F1B439B1E8C75130D87FB3A611D206B9A43504AA1DC31C1D2F27C89F8FA37CE80FB65C44E27
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR...............A.....bKGD.......X......pHYs...H...H.F.k>....IDATH...!..A.....b.l.....A.1{..V.Y0i..x...x..v......D.K_..O..9....a......}..^..Ja..0b.vBA.$.,.Q..."_44....=.Sqc..yE..I..W..<kA....i.0....<a$S..y....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_flat_0_aaaaaa_40x100.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 40 x 100, 2-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):212
                                                                                                                                                                                                          Entropy (8bit):5.38272561855122
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPnHvll2VztlN4EYyzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7vHWVztlyENzS+f3E52EML3Eflz
                                                                                                                                                                                                          MD5:BE7FFA4D7FFD17E1D89F40F855FF4BDA
                                                                                                                                                                                                          SHA1:F0FE1D67D4987DE9CF39A4411A198B17E4555C55
                                                                                                                                                                                                          SHA-256:EF819A83D74E67F3354676FF3A3077F01B1BE9CFD17D26655EA32874C1B094E8
                                                                                                                                                                                                          SHA-512:ADDDB90BE4BA90C48A9A0E39D12ED0159F15D3DB69B36F511D740A7DFB2BFB2FB33C21BAA0D8D403B3C6F3153CCB719B771909013097B389BE82EA448AF5E30F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR...(...d.......5.....bKGD..3.r.....pHYs...H...H.F.k>....IDAT8.cX.....Q.(s.I....I./ZW.....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_flat_75_ffffff_40x100.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 40 x 100, 1-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):208
                                                                                                                                                                                                          Entropy (8bit):5.441070699788578
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPYOljVztlNQkn7DvF2zgN+u+3dftGRxEML3dfttp:6v/7PxtlGqDvkzS+f37GEML37D
                                                                                                                                                                                                          MD5:79D203EB970FDEE9B5FEE9DD3DCBC573
                                                                                                                                                                                                          SHA1:E931594A1BE4241B4923C328C6E5061B9F0D0A4B
                                                                                                                                                                                                          SHA-256:3C6BCFE102425A0E8CAA4A268C148F9D10E9C65B5277FC026299356EBD17C1DE
                                                                                                                                                                                                          SHA-512:B40428CCB942FD8C5592EDC0343D3E5C2EA9EF4160F4580E23039DAA8AF5C34F507E58A36993BC7F77712441A687DFC7C203723D0BBF0E411D80DCF00F6C15F2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR...(...d.......O.....bKGD.........pHYs...H...H.F.k>....IDAT(.c......(IU........{...%tEXtdate:create.2014-01-19T18:55:12-08:00.M.R...%tEXtdate:modify.2014-01-19T18:55:12-08:00........IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_glass_55_fbf9ee_1x400.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 400, 16-bit/color RGB, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):335
                                                                                                                                                                                                          Entropy (8bit):6.506923664922411
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPh1rZTp5mtlNg7cZPJdE0CDRGnmQflByQL4xzgN+u+3dfWVd6q2EML3dfWn:6v/7J1rZVQtl5gR8nBtx4xzS+f3E52ER
                                                                                                                                                                                                          MD5:83DB3DC94C956A82963FDF628F9D8759
                                                                                                                                                                                                          SHA1:CFF216A08143F03C8636DDF90A726726D7091682
                                                                                                                                                                                                          SHA-256:577C14708886C14A477778473401F82C713E81678BAFC84A7F6FE8E1BAD51148
                                                                                                                                                                                                          SHA-512:6AAD50376B828DB160396517EBB256FE36A8648EECD9929A133C4F1B439B1E8C75130D87FB3A611D206B9A43504AA1DC31C1D2F27C89F8FA37CE80FB65C44E27
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR...............A.....bKGD.......X......pHYs...H...H.F.k>....IDATH...!..A.....b.l.....A.1{..V.Y0i..x...x..v......D.K_..O..9....a......}..^..Ja..0b.vBA.$.,.Q..."_44....=.Sqc..yE..I..W..<kA....i.0....<a$S..y....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_glass_65_ffffff_1x400.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 400, 1-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):207
                                                                                                                                                                                                          Entropy (8bit):5.421473036166773
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPh3DVztlNLyjl2XIzgN+u+3dfP6tgg2EML3dfP6uup:6v/7JBtlxXIzS+f3p6tgg2EML3p6j
                                                                                                                                                                                                          MD5:B790D06E1309EDF0A735331A2D2EB539
                                                                                                                                                                                                          SHA1:16ADC28CB33F544C1C88103421F091B62EFA2FD6
                                                                                                                                                                                                          SHA-256:DA621753D6DF757A81DD67C656B8B71E0A43067D3EBB3F46715A704C734CA35C
                                                                                                                                                                                                          SHA-512:AA15D5F1BF4D8680AF67AE377251AA876AB8541899ABFB89539D3632D948BF9BC5A93E5057CD8FFF240AB19AD5CE750B51D004F6344E960E501AD385C6480A49
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR.............G#7v....bKGD.........pHYs...H...H.F.k>....IDAT(.ch`...p....h...4.i...%tEXtdate:create.2014-01-19T18:55:02-08:00.......%tEXtdate:modify.2014-01-19T18:55:02-08:00...p....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_glass_75_dadada_1x400.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 400, 16-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):262
                                                                                                                                                                                                          Entropy (8bit):5.967325013380225
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPh8EFtlNeEvLpLa8qtqDUblKzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7JptlUILUPtylzS+f3E52EML3Eflz
                                                                                                                                                                                                          MD5:557FC2338A04EEEF50F3C7D45DDE2F98
                                                                                                                                                                                                          SHA1:05EC73A146736833B10B068CC948A87DFDB29CBA
                                                                                                                                                                                                          SHA-256:2F840CC0DE69EC024C62422982CB1336FCC580BD1AA1AA20BF1F5C7DE9A08BBF
                                                                                                                                                                                                          SHA-512:E65F56FD50B3D735D9271A0D321388BE4713518E8C26057C7487C704191CE0BD6981D4F5F77E3FBCBE646C738F125D394047D9E0B79F26ECF4F6E30245AAC44C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR................D....bKGD....1.....pHYs...H...H.F.k>...HIDAT8.cx..a.."..[..n{1.qc...po"..?..3..}`xR...1.s?....^^bxu..u)..h.....W.%R..|...%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_glass_75_e6e6e6_1x400.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 400, 16-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):262
                                                                                                                                                                                                          Entropy (8bit):5.951536690657124
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPh8EFtlNeMI2WoVk08K6x2zgN+u+3dftGRxEML3dfttp:6v/7JptlUM4oVN8KhzS+f37GEML37D
                                                                                                                                                                                                          MD5:5AA0A5172050CF33EE52543E2A39F650
                                                                                                                                                                                                          SHA1:353190E4DDA3C63D693BCA9DEC6ABCD092796322
                                                                                                                                                                                                          SHA-256:A0FCE4E506385D26CD1DD95EB2CA995C9541DD43153159C8313F32A3A0374792
                                                                                                                                                                                                          SHA-512:D0D82FCAA75C6EC976B63B11169F266903EB6DDD15B44CEC1C2F5A9BD9654F446AE17D0EF7526C263EFE753E6B39F46906F595FBAEA8543976F7493DB757BE36
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR................D....bKGD....1.....pHYs...H...H.F.k>...HIDAT8.cx..0.F...g.....ax1..e&.8..!.ob..2..fx......#3......>...QD....@.$..5o...%tEXtdate:create.2014-01-19T18:55:12-08:00.M.R...%tEXtdate:modify.2014-01-19T18:55:12-08:00........IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_glass_95_fef1ec_1x400.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 400, 16-bit/color RGB, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):332
                                                                                                                                                                                                          Entropy (8bit):6.459714673231968
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPh1rZTp5mtlNYkx7GFaO29kJ/iNB9o7+2vEK9ZfES5lB2zgN+u+3dfWVd6c:6v/7J1rZVQtlOnwk1em+2vEKvEA2zS+c
                                                                                                                                                                                                          MD5:44606DD4F249740D494943643B1C8718
                                                                                                                                                                                                          SHA1:BEBC84E5BB020065A1D790101B9345AA21EC7633
                                                                                                                                                                                                          SHA-256:EF724E84645EF2DC9769BDDCB6FE832407372A4740C6AEF3E25AEA2AE6F51853
                                                                                                                                                                                                          SHA-512:7B73C187AA88FF5CE5671D620D9F8933A3B5ED04F95929970A7F785F50232AACE33E5135EA242A2C89339D750437B0B40D12928B7CD768A008D743FBAAF73590
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR...............A.....bKGD.......X......pHYs...H...H.F.k>....IDATH.....a........\!V....J#X.....D}.....f.>....>...P..x...x......q....u...q...f.+..6....[..\.......W.T4r...6:.]V:...,.(....8..y.G-(d...H...%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-bg_highlight-soft_75_cccccc_1x100.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1 x 100, 16-bit grayscale, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):280
                                                                                                                                                                                                          Entropy (8bit):6.115389891689244
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:6v/lhPeNkFtlNokzySWow3tumS4E8U0xzgN+u+3dfWVd6q2EML3dfWVdhldp:6v/7WNEtl+LZoat3S4e0xzS+f3E52EMa
                                                                                                                                                                                                          MD5:443BD890A55AD6B7E5FC5383F730A44C
                                                                                                                                                                                                          SHA1:D18316E7AFC637F466687831C460A8B767615776
                                                                                                                                                                                                          SHA-256:E8CFB6E4753C0E1ED877146B6F497A733EEDCDA8BE4264C91A191204DFD9FB94
                                                                                                                                                                                                          SHA-512:B0B792C2EC487A0007F8F27FEA0D8DE9EF149092461E8334A433EB8F3CD6BE86A46EA53FA40CA84D9A3B384803AAD144573B4CD88CBBE9A09E0A98D11630E9D5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR.......d.....2.......bKGD....1.....pHYs...H...H.F.k>...ZIDAT..cx|..Nh.........2<hc._.p/..n,....[_.n.g...p=.......w2\je.X.pa...&.s....b8..p...".....Y{....%tEXtdate:create.2014-01-19T18:55:13-08:00.:.....%tEXtdate:modify.2014-01-19T18:55:13-08:00dg.Z....IEND.B`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-icons_222222_256x240.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6922
                                                                                                                                                                                                          Entropy (8bit):7.940828041549464
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:EtbmwCm38cHXpuWxCxISffIuZ/vTwcZMCCn7/totek2HAqcRln2cM3+gpDR:AqdmzXpMbxMCK76tdqAZje+8N
                                                                                                                                                                                                          MD5:A1B3887A86CF1791F23C0B53B4D3585F
                                                                                                                                                                                                          SHA1:692A53CAD7F748BC7B691B98B9116CE3269CD22B
                                                                                                                                                                                                          SHA-256:3B1AC036763D3A59C88578486AE698D22A37DD2D46A553485E1EABB9FE255B3F
                                                                                                                                                                                                          SHA-512:A055B57AE02D64DD85EFED7EC939B8A50A35F85F18D1DE3245A9D634C9A613EE29CFF401BCBE222321A46AA77AB0EA705E917EC57A58B08002F55D2090B7AC71
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR.............E.r@....bKGD."..b.....pHYs...H...H.F.k>...'IDATx..{he.}.?g.....{..1.)......]K&qq.U.4k.biK.R(H...B..P(I.vJ._....IV.@.nB.5i.N...i.G.jq.&.~A#Q.....rX'.....9.:..{.3.E{.=.y.o~3g~..Mp..&.....1Xx.h8<...#dl..Mx..1.&..$..5..~...V.....c.$.......,..........i...N:.Z....Y...>.."..B...H!...........-..C.u.8t..}....8.!.B...*.OF...[.a...l...B&......1h.>..M]hN...4MAb....!(..h.E.1.5j.cO.<6.e7..,e...S(..f..o.16+3.y.JR.|.{.^3.^.....{.88..........~'.....px.h8<.4.........g............2..n..6e.......{......Q.......p...P.A..i...f.S.....(..D..'.L.6=......T:s...f.q...l....c.I......=.i...M.>...LN{.U..&.......&...{u...o...........4.~#.....px.h8<.4.........g.......p...^i....../.0.....TW..c.......Q.... .@)..y...u}`L...Uc...%T..................A..R..@.?..P.-`....BKl..b.....Z}.............uJ....%U.].K2..e..ts.Y...@,e.e.....r..jc.s...M..n..0.A...mP..y..D.K(5.,...lN.&b.D.m..rwYDV....t..e$.......L......[..C..0O...P...&..0.....+..;...g...3@........px.h8<.4

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-icons_2e83ff_256x240.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):4549
                                                                                                                                                                                                          Entropy (8bit):7.787336530544679
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:eezHbJHvBKzqOmbEiFaEn4L0347j+MZdJdaDgEz3iXPR:eebVPOjmYBL0o7j+AdJQgEza
                                                                                                                                                                                                          MD5:764C37EFBF6D7FFC176B466FADC6F2CA
                                                                                                                                                                                                          SHA1:A57A7F1775369985C3335C351575DF127C6CFEA2
                                                                                                                                                                                                          SHA-256:3D3E274632C78C97B550BB7D2291462E2584F523A15CDC1B9535E7BFABD0CE30
                                                                                                                                                                                                          SHA-512:206A63D9A0B0A4DB870FD927C8E6AB4E2C890A9F3ADACB6B43B6B735D45FE62D92A2B91003C176D7D6DDFA076BB6E6DDDB3A8520F1030BE64877214288CD0F62
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR..............IJ.....PLTE.................................................................................................................................................................................................................................................................................o...YtRNS...3..P.../"Uq@f`..2..!<.BHK .Z#'1S,.4...j...8E....|.........)...Q$.......b.J..m.Gc?o..h.@^.....bKGD....H....pHYs...H...H.F.k>...dIDATx..].c....H..].K....d..%....lm....w].....|.p..X..m.-....}<.w.(....1.$...;..F.@..%..?......B,..L.h{.t...#....T@./?.j...9..m..N. #...+`....`..I....._.-s..U0..M...[...s..4`x.....#....D<....~...K....4.]`..PDDDDDD.q......Ek@....A...~.*.....!Y...X...`.hv3\LX...Ot.J.2.b..l.QI<.... ...6..-X.l..6..H..|=j..`E.iq....Cv:..q............C?.?.....x.,..r*t..}|;.kP.4....d.Y....f....K..~[.>.X:+.i.......QV.9.\.....e...'...A.tO.S.:7..2.....YsxM....B....&....z.>n.C...@..r@...*.a.....%...MFDDDDDD.T.....H,...E....RU..n....<..V-.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-icons_454545_256x240.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6992
                                                                                                                                                                                                          Entropy (8bit):7.9272661175047565
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:LZYGBeZMj+hjoHCZi6hO7IEyv46uByg78SmVNN2AxGiaiBK+aOvAdCO6cIi29TvE:LRj+h1tkIz46uhhwNNlGiaiBKmA4Uw2Z
                                                                                                                                                                                                          MD5:6B29E362591A05E270B33C4FC3F67CB2
                                                                                                                                                                                                          SHA1:6CB0B3A5C3CB2EE9FBAEF3CB156C06BB4F15FC82
                                                                                                                                                                                                          SHA-256:A8D28E2D83A807B2B86ED2A02E31086F6C0718DFA96E0BA6A4577B657F69CC34
                                                                                                                                                                                                          SHA-512:B73EB60C9B76FD504D46E5844673D9624C1A62A1F0C099F3C79242AEF4856C40CE6B97E38DB713CCC5E131D6C02615E90127350610A0A4D49959E56C940C6813
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR.............E.r@....bKGD.E.;.-....pHYs...H...H.F.k>...mIDATx..{leG}.?g.K..$.....U.!.>T....J..i6A".V..R%;.."...*UP).../......z..RJ..F....QP...z..BQ.H.VU.........5s..9..^.3...{~....7s.7...<.......`...... c...A.b/..@..[.V.D...0..3AX9..0.N...._..B.......&...>~..>..c.;ab..D..E......Q.z..'k...M.ay......6..!.:u.:..:@R....B.yDD....'.L..-.f.]S..q.!..f...S....Q.&..S..7MC..r==3d.J...{...f.Z...S0.Ms..:0K.g........&H.U.=.mc.4.i?U..G..U4.hc..Qb....].!..hL...W.../........@........px.h8.~.|.A...Qf?....1f......=u.....Q.GJH...p....P.I.w.m.....>2.....".W.P&{..n....T:s...f.q...H@.....c.I.......~.S.s+.^|B.n.29..d..H.......]..v.-.-m.e.h.>..........q&....g..9x.#c..n..~!.....px.h8..4.^.../.......o..#..Z@..S....^..4. K.ZKP..d.9...C@.F[.......,..a+......]8..v..K..q.H.l.w9...84.K.B...|..&...#..[.\C.....`..R..!.....:.F.z..C...6..)A....T1wU.I..!4..ig.3w.............E:..q7.......n..0uA...mP..y..T.K(5....lN.b.T....rw.DV.]..t..e4...7....L......[..C..0....P...&..0

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-icons_888888_256x240.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 256 x 240, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6999
                                                                                                                                                                                                          Entropy (8bit):7.9356094432043145
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:0H63l6XnD/aZzXcHhG8RL8h8xnJ4f8lKoQpID8Dj:33qbaZzXUnYh8lJ4fsgIS
                                                                                                                                                                                                          MD5:302AE7A7AED5730C16146B677B123638
                                                                                                                                                                                                          SHA1:D0144B794640E1126F782B5332C8539FE2D3AEF4
                                                                                                                                                                                                          SHA-256:E2D1B1C7C51F8C30431327FE43029D62B6D5DFD2D95BBD6B8B9929C178DBA4BF
                                                                                                                                                                                                          SHA-512:B65B0DCE5A2B0348F51E2D41E07A3A7B11F051E3A0517B5DD2EA2327C2E2DF0908CFA33597B34B2D1C89D6BFB91C9F432A564233DD9D763CEAC67A751B618378
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR.............E.r@....bKGD..I.( ....pHYs...H...H.F.k>...tIDATx..{le.}.?g..k..u...J.>D.C.^.Q...M..H..*MU...h.(*$H...R.*j...D.].....)..(M6..F.6!6..-..xI...i.-.. HN.8..s.u....g......f....7..3........7..x..^.../.2&...v&v.^.DL..l6I..-..o?...cn...D Iy.e.#d.0+.0.3..~.......0.g'L.V...[...R.C:B..~(...)$q.vX.u.B@...E@`H.N.G.....`TA.%=].qA.w..J)..u).9.:e.9d.`V..0.A{..=..BS*.....S..gF.A....-(D...R.@..".....g'.U.,eS.w.......j...*.)l.[.....HLy....9......j.a.I6..MR.~...~..nG....3........@........px.h8..4.~=@>...(...mE...3a\.`~..=u.....Q.....[..f.3W..A...i..oK}3w..gV........,.j....n2..*....m..M..].y=..xn"..co....L"..7]...EC.:d..H.z.E@W...f+^.e.6v.E4..O...`.......)l..:..7.....){._.....~".....px.h8..4.^.../......./..#..\@..S..^.T.0s.Zs.1.J..1.Pr....h.w...V..E.g....S..T..Q5.[.\B...O.`+..>}....\...6.../0..k.g...1[..Kh.....l.X....._.Z.^IA......^.N..4v...OW=%i^.<...9.t.f .2.......B.Hg.6....!u..\.Z..&.....2....s....U.]..i.T..... ..]..Ua.q;].A...:.r.G-3.<.F..n

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\images\ui-icons_cd0a0a_256x240.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 256 x 240, 8-bit colormap, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):4549
                                                                                                                                                                                                          Entropy (8bit):7.7588806674823365
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:gezHbJHvBKzqOmbEiFaEn4L0347j+MZdJdaDgEz3iXPR:gebVPOjmYBL0o7j+AdJQgEza
                                                                                                                                                                                                          MD5:5C78585B80FBF4342D21674A04E89C8B
                                                                                                                                                                                                          SHA1:BA54B02521C09485695A9F409BA3E6FF7EDE90AD
                                                                                                                                                                                                          SHA-256:003822ED55AD9191E071798370E41363A617B138EAE18623AD9D864CA5F357CE
                                                                                                                                                                                                          SHA-512:77B280FAB498352647A1271A7B9E1D7A54EA3E30838A780BA2DB649ADDF7E8BBADACAF0A00BFA37BA7E7EB3084E90810451E8ECEC2647D3917507EFD17B90CDC
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR..............IJ.....PLTE..............................................................................................................................................................................................................................................................................4.v....YtRNS...3..P.../"Uq@f`..2..!<.BHK .Z#'1S,.4...j...8E....|.........)...Q$.......b.J..m.Gc?o..h.@^.....bKGD....H....pHYs...H...H.F.k>...dIDATx..].c....H..].K....d..%....lm....w].....|.p..X..m.-....}<.w.(....1.$...;..F.@..%..?......B,..L.h{.t...#....T@./?.j...9..m..N. #...+`....`..I....._.-s..U0..M...[...s..4`x.....#....D<....~...K....4.]`..PDDDDDD.q......Ek@....A...~.*.....!Y...X...`.hv3\LX...Ot.J.2.b..l.QI<.... ...6..-X.l..6..H..|=j..`E.iq....Cv:..q............C?.?.....x.,..r*t..}|;.kP.4....d.Y....f....K..~[.>.X:+.i.......QV.9.\.....e...'...A.tO.S.:7..2.....YsxM....B....&....z.>n.C...@..r@...*.a.....%...MFDDDDDD.T.....H,...E....RU..n....<..V-.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\is-FUR3P.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (25266)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):27102
                                                                                                                                                                                                          Entropy (8bit):4.997758237821455
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:L1Xt0YpyiW4wuxrjM1bXrJLzB3NCNPHyV6C2MZuQEjQDMsrsUR9IU+4mvCyB8gBZ:IYpyixDGFLzBEVk+4mvFL/72fZBhV5OR
                                                                                                                                                                                                          MD5:8670AFABE3FDF47BC56FBA5DF45024D2
                                                                                                                                                                                                          SHA1:C7AF8621CB5FBC970DFE5666C668232E7A593387
                                                                                                                                                                                                          SHA-256:1D8755B3DAB9E189A8F4326A3328E7F4FA7F51849B0F50C29A3368CEA9C5704F
                                                                                                                                                                                                          SHA-512:08F39518D5194A2A653A7049D2FEEBF5497CB93EA1A479BBB7307B484726C9FEFC5CC07B69440D0051DAE0A329D14BEFEC31D9AEE6656F344037C85822037D0E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*! jQuery UI - v1.10.4 - 2014-01-21.* http://jqueryui.com.* Includes: jquery.ui.core.css, jquery.ui.resizable.css, jquery.ui.selectable.css, jquery.ui.accordion.css, jquery.ui.autocomplete.css, jquery.ui.button.css, jquery.ui.datepicker.css, jquery.ui.dialog.css, jquery.ui.menu.css, jquery.ui.progressbar.css, jquery.ui.slider.css, jquery.ui.spinner.css, jquery.ui.tabs.css, jquery.ui.tooltip.css, jquery.ui.theme.css.* To view and modify this theme, visit http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=highlight_soft&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=flat&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=glass&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\is-P38N4.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1339)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):32021
                                                                                                                                                                                                          Entropy (8bit):5.078949048223651
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:L1Xt0YpyiuMfQY+wA1r0sNJdBYUPSMfe3zYTda5Y6BjSmMErEURHwn58OV4v9i6V:IYpyiuy1TO+z+eI5HVfzS25Sfp
                                                                                                                                                                                                          MD5:ECB5EA6E7495242AD82F926B62DBDCB3
                                                                                                                                                                                                          SHA1:F465442DD28791C27D7AAEADB15A8AC04496F157
                                                                                                                                                                                                          SHA-256:0010F5E0DA2C54B659E5A3B375DE604E442164E6C72A5D82E8599935A57233C5
                                                                                                                                                                                                          SHA-512:92849ACF439C398290607B50DDCC6F4E5221C97463F45F3E414640B11357AB68F6AD5803A9782E041459CD2E094D7E1585EC07F0441698F1CB3BC0E6CFCFB6EF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*! jQuery UI - v1.10.4 - 2014-01-21.* http://jqueryui.com.* Includes: jquery.ui.core.css, jquery.ui.resizable.css, jquery.ui.selectable.css, jquery.ui.accordion.css, jquery.ui.autocomplete.css, jquery.ui.button.css, jquery.ui.datepicker.css, jquery.ui.dialog.css, jquery.ui.menu.css, jquery.ui.progressbar.css, jquery.ui.slider.css, jquery.ui.spinner.css, jquery.ui.tabs.css, jquery.ui.tooltip.css, jquery.ui.theme.css.* To view and modify this theme, visit http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=highlight_soft&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=flat&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=glass&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\jquery-ui-1.10.4.custom.css (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (1339)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):32021
                                                                                                                                                                                                          Entropy (8bit):5.078949048223651
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:L1Xt0YpyiuMfQY+wA1r0sNJdBYUPSMfe3zYTda5Y6BjSmMErEURHwn58OV4v9i6V:IYpyiuy1TO+z+eI5HVfzS25Sfp
                                                                                                                                                                                                          MD5:ECB5EA6E7495242AD82F926B62DBDCB3
                                                                                                                                                                                                          SHA1:F465442DD28791C27D7AAEADB15A8AC04496F157
                                                                                                                                                                                                          SHA-256:0010F5E0DA2C54B659E5A3B375DE604E442164E6C72A5D82E8599935A57233C5
                                                                                                                                                                                                          SHA-512:92849ACF439C398290607B50DDCC6F4E5221C97463F45F3E414640B11357AB68F6AD5803A9782E041459CD2E094D7E1585EC07F0441698F1CB3BC0E6CFCFB6EF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*! jQuery UI - v1.10.4 - 2014-01-21.* http://jqueryui.com.* Includes: jquery.ui.core.css, jquery.ui.resizable.css, jquery.ui.selectable.css, jquery.ui.accordion.css, jquery.ui.autocomplete.css, jquery.ui.button.css, jquery.ui.datepicker.css, jquery.ui.dialog.css, jquery.ui.menu.css, jquery.ui.progressbar.css, jquery.ui.slider.css, jquery.ui.spinner.css, jquery.ui.tabs.css, jquery.ui.tooltip.css, jquery.ui.theme.css.* To view and modify this theme, visit http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=highlight_soft&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=flat&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=glass&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\css\smoothness\jquery-ui-1.10.4.custom.min.css (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (25266)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):27102
                                                                                                                                                                                                          Entropy (8bit):4.997758237821455
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:L1Xt0YpyiW4wuxrjM1bXrJLzB3NCNPHyV6C2MZuQEjQDMsrsUR9IU+4mvCyB8gBZ:IYpyixDGFLzBEVk+4mvFL/72fZBhV5OR
                                                                                                                                                                                                          MD5:8670AFABE3FDF47BC56FBA5DF45024D2
                                                                                                                                                                                                          SHA1:C7AF8621CB5FBC970DFE5666C668232E7A593387
                                                                                                                                                                                                          SHA-256:1D8755B3DAB9E189A8F4326A3328E7F4FA7F51849B0F50C29A3368CEA9C5704F
                                                                                                                                                                                                          SHA-512:08F39518D5194A2A653A7049D2FEEBF5497CB93EA1A479BBB7307B484726C9FEFC5CC07B69440D0051DAE0A329D14BEFEC31D9AEE6656F344037C85822037D0E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*! jQuery UI - v1.10.4 - 2014-01-21.* http://jqueryui.com.* Includes: jquery.ui.core.css, jquery.ui.resizable.css, jquery.ui.selectable.css, jquery.ui.accordion.css, jquery.ui.autocomplete.css, jquery.ui.button.css, jquery.ui.datepicker.css, jquery.ui.dialog.css, jquery.ui.menu.css, jquery.ui.progressbar.css, jquery.ui.slider.css, jquery.ui.spinner.css, jquery.ui.tabs.css, jquery.ui.tooltip.css, jquery.ui.theme.css.* To view and modify this theme, visit http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1.1em&cornerRadius=4px&bgColorHeader=cccccc&bgTextureHeader=highlight_soft&bgImgOpacityHeader=75&borderColorHeader=aaaaaa&fcHeader=222222&iconColorHeader=222222&bgColorContent=ffffff&bgTextureContent=flat&bgImgOpacityContent=75&borderColorContent=aaaaaa&fcContent=222222&iconColorContent=222222&bgColorDefault=e6e6e6&bgTextureDefault=glass&bgImgOpacityDefault=75&borderColorDefault=d3d3d3&fcDefault=555555&iconColorDefault=888888&bgColorHover

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\favicon.ico (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2999
                                                                                                                                                                                                          Entropy (8bit):3.9357714030301936
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:QEipEr2in2hH6WOtfcHi18SG7EG+WZ4WN83+/pDv6j6dtimCiw4bPL1yrKDbSBv6:HK1FROta08t7E/gbN1pv6u04bPL1ye
                                                                                                                                                                                                          MD5:7DAA7CFF4BDB6A6B4C33AECA089DEBFF
                                                                                                                                                                                                          SHA1:04118F802E9DAAA1EFF20B00E333AA011340856C
                                                                                                                                                                                                          SHA-256:68ED09555E1B0D56AA83887C3F8B086359C337897149BC9C2854373FDCDA75A3
                                                                                                                                                                                                          SHA-512:DC39F36273A4B104708628F6ED3D965BBF778E64671339D200A09B7E80739B8D9FFF88B9C16040BEAAF466EC49A1C64BE36C13B05E8987F0DD4B1FA0CCD9A298
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:...... ..........&... ..............(... ...@...................................................................................................................p...............x................................8..............t@................@..............L.@................C..................p..........L...............L...D...........t....D8..........L....D..........DDDDDD......................................................333330.........x;.....H.........x;....8..........s;...............s....................8p..............4..............................3..p.............;8...............3w..............x..............................................................?....................................................................................?...........?....(... ...@..............................................................................................""".))).UUU.MMM.BBB.999..|..PP........................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\ElectronicLogo.GIF (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:GIF image data, version 89a, 76 x 103
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1270
                                                                                                                                                                                                          Entropy (8bit):5.422042590406756
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:2kEGY7peHU2k7N7DRhoZNtwNKzbEqNpmRRmJyMnM4RRwd5YErFcZ4E:PHU2k7N7YtG8EqNwbmIMnsd5hcZD
                                                                                                                                                                                                          MD5:ED63705020F5409BD91BE4B848250F7E
                                                                                                                                                                                                          SHA1:C2604114F4B24BE1F24DC8640818E8A5C076B0F6
                                                                                                                                                                                                          SHA-256:6CAA261B46150667B4B9F21E3C58F9594460C2582DEB5D5F7605567EC8ABEB07
                                                                                                                                                                                                          SHA-512:CAE29BDCE94E7CD5281418726887818AEF0CD8B59966706E2AA5FB6E639B95B2B21F179CDA6892F6C7B5A6A75F3D8EBEF6262E7829FE8407CE1183E6D4AB003F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:GIF89aL.g.................................................................................................................................3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f......3..f..............3..f.............3..f.........3..3.33.f3..3..3..33.33333f33.33.33.3f.3f33ff3f.3f.3f.3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f3.f33f3ff3.f3.f3.ff.ff3fffff.ff.ff.f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........3..33.3f.3..3.3..f..f3.ff.f..f.f......3..f.............3..f............3..f.............3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f....3.f...........3..f.............3..f..............3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f......3..f..............3..f.............3..f.........!.......,....L.g........H......*\....#J.H....3j.... C..I...(S.\...0c.I...8s.D....>......A....T...@...B=J5i.C....s..Y."...)Y........Z!......J....v,_.\....20C.I.b......6.{.qZ.....r.c.#=o.(.bi..O.=.uk.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\footerLogo.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1703 x 789, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):36484
                                                                                                                                                                                                          Entropy (8bit):7.826690532591528
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:X4+S5daND8PRZtBKjUr+vkzCE9D44dQM2J/nxm+kAS1KGF:XlGxtEjfczD9lQM4Inl
                                                                                                                                                                                                          MD5:4F169AC52006310BB5956187AF719865
                                                                                                                                                                                                          SHA1:5907E27014D30459102A21BED4BC082C78C1FB6C
                                                                                                                                                                                                          SHA-256:5248E60F5FAA0C281A4872FFEC1F28F2D723FA354E8FE0B4C355FA13E5883884
                                                                                                                                                                                                          SHA-512:E4955D2241C20432CA9DE31553E1CECDE44B59BD5139193D883C341A1CB60606C8C93B57546191B046CAB1D8DC47C55037EE49E97A4A873C30AEF8B590742055
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR..............I.L....pHYs..$...$...c.... .IDATx....U\G.7.Sw...F...L...H..p.b"...8...F....@.."."......h.?8.]U.y.b...e.......4...a........z.q:.ye.._F...W.b)........&.hMJ..0..&......x..]G...H)..k.........*.....,.|Y.[.>V.).E.C....s._..F.......4/....%.s.~.`01e3.ga..mD.17.$.t<..&...9"Nz..r.z.q8..Vw[..~|l.y...W....N.w/}.).....l]...EK...........2.W<...g*....4.Q.....w.{6.2.M...)...?v....)..?..SJy...0.g.z..N.Ss?.zr.....].w..w;..X....{....x.~.>..z.h......._.B......b....Rn.wT>.o......?RJyM.4".....N.<.n....hY`.[X.....O....v.....<.3<...5|P..J....p...L4...Z.P*..}.h....)...R..j.gL........,(>.\.O.`F...q..d[.G.E.J....Uc.P..\.b.......U..<.,.z,?.~...8..7v%U*.C`.6.n.....Ti..RL}..f.......eJ.....n.....,".t..6[..>GD...9.).Rc.'uw>.Sg.....|.z..}....Xk.*..6k...n...Z.[..`C.Wb=..*.O7w.)Jp....M.!.p..J)....1....+...|..<.]..\V..........u..R.-.k..nV9.P...7..Xig...S.D\....Khes..P9.M...7..m*......^.S)....o.j....}.{.`...J..e...<x..g@..@;.JXu....p....{.k.v.y.:.)h.?m~`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\is-7QCTQ.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1703 x 789, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):36484
                                                                                                                                                                                                          Entropy (8bit):7.826690532591528
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:X4+S5daND8PRZtBKjUr+vkzCE9D44dQM2J/nxm+kAS1KGF:XlGxtEjfczD9lQM4Inl
                                                                                                                                                                                                          MD5:4F169AC52006310BB5956187AF719865
                                                                                                                                                                                                          SHA1:5907E27014D30459102A21BED4BC082C78C1FB6C
                                                                                                                                                                                                          SHA-256:5248E60F5FAA0C281A4872FFEC1F28F2D723FA354E8FE0B4C355FA13E5883884
                                                                                                                                                                                                          SHA-512:E4955D2241C20432CA9DE31553E1CECDE44B59BD5139193D883C341A1CB60606C8C93B57546191B046CAB1D8DC47C55037EE49E97A4A873C30AEF8B590742055
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR..............I.L....pHYs..$...$...c.... .IDATx....U\G.7.Sw...F...L...H..p.b"...8...F....@.."."......h.?8.]U.y.b...e.......4...a........z.q:.ye.._F...W.b)........&.hMJ..0..&......x..]G...H)..k.........*.....,.|Y.[.>V.).E.C....s._..F.......4/....%.s.~.`01e3.ga..mD.17.$.t<..&...9"Nz..r.z.q8..Vw[..~|l.y...W....N.w/}.).....l]...EK...........2.W<...g*....4.Q.....w.{6.2.M...)...?v....)..?..SJy...0.g.z..N.Ss?.zr.....].w..w;..X....{....x.~.>..z.h......._.B......b....Rn.wT>.o......?RJyM.4".....N.<.n....hY`.[X.....O....v.....<.3<...5|P..J....p...L4...Z.P*..}.h....)...R..j.gL........,(>.\.O.`F...q..d[.G.E.J....Uc.P..\.b.......U..<.,.z,?.~...8..7v%U*.C`.6.n.....Ti..RL}..f.......eJ.....n.....,".t..6[..>GD...9.).Rc.'uw>.Sg.....|.z..}....Xk.*..6k...n...Z.[..`C.Wb=..*.O7w.)Jp....M.!.p..J)....1....+...|..<.]..\V..........u..R.-.k..nV9.P...7..Xig...S.D\....Khes..P9.M...7..m*......^.S)....o.j....}.{.`...J..e...<x..g@..@;.JXu....p....{.k.v.y.:.)h.?m~`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\is-IQBJ1.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1703 x 789, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):36484
                                                                                                                                                                                                          Entropy (8bit):7.826690532591528
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:X4+S5daND8PRZtBKjUr+vkzCE9D44dQM2J/nxm+kAS1KGF:XlGxtEjfczD9lQM4Inl
                                                                                                                                                                                                          MD5:4F169AC52006310BB5956187AF719865
                                                                                                                                                                                                          SHA1:5907E27014D30459102A21BED4BC082C78C1FB6C
                                                                                                                                                                                                          SHA-256:5248E60F5FAA0C281A4872FFEC1F28F2D723FA354E8FE0B4C355FA13E5883884
                                                                                                                                                                                                          SHA-512:E4955D2241C20432CA9DE31553E1CECDE44B59BD5139193D883C341A1CB60606C8C93B57546191B046CAB1D8DC47C55037EE49E97A4A873C30AEF8B590742055
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR..............I.L....pHYs..$...$...c.... .IDATx....U\G.7.Sw...F...L...H..p.b"...8...F....@.."."......h.?8.]U.y.b...e.......4...a........z.q:.ye.._F...W.b)........&.hMJ..0..&......x..]G...H)..k.........*.....,.|Y.[.>V.).E.C....s._..F.......4/....%.s.~.`01e3.ga..mD.17.$.t<..&...9"Nz..r.z.q8..Vw[..~|l.y...W....N.w/}.).....l]...EK...........2.W<...g*....4.Q.....w.{6.2.M...)...?v....)..?..SJy...0.g.z..N.Ss?.zr.....].w..w;..X....{....x.~.>..z.h......._.B......b....Rn.wT>.o......?RJyM.4".....N.<.n....hY`.[X.....O....v.....<.3<...5|P..J....p...L4...Z.P*..}.h....)...R..j.gL........,(>.\.O.`F...q..d[.G.E.J....Uc.P..\.b.......U..<.,.z,?.~...8..7v%U*.C`.6.n.....Ti..RL}..f.......eJ.....n.....,".t..6[..>GD...9.).Rc.'uw>.Sg.....|.z..}....Xk.*..6k...n...Z.[..`C.Wb=..*.O7w.)Jp....M.!.p..J)....1....+...|..<.]..\V..........u..R.-.k..nV9.P...7..Xig...S.D\....Khes..P9.M...7..m*......^.S)....o.j....}.{.`...J..e...<x..g@..@;.JXu....p....{.k.v.y.:.)h.?m~`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\is-MBRMU.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:GIF image data, version 89a, 76 x 103
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1270
                                                                                                                                                                                                          Entropy (8bit):5.422042590406756
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:2kEGY7peHU2k7N7DRhoZNtwNKzbEqNpmRRmJyMnM4RRwd5YErFcZ4E:PHU2k7N7YtG8EqNwbmIMnsd5hcZD
                                                                                                                                                                                                          MD5:ED63705020F5409BD91BE4B848250F7E
                                                                                                                                                                                                          SHA1:C2604114F4B24BE1F24DC8640818E8A5C076B0F6
                                                                                                                                                                                                          SHA-256:6CAA261B46150667B4B9F21E3C58F9594460C2582DEB5D5F7605567EC8ABEB07
                                                                                                                                                                                                          SHA-512:CAE29BDCE94E7CD5281418726887818AEF0CD8B59966706E2AA5FB6E639B95B2B21F179CDA6892F6C7B5A6A75F3D8EBEF6262E7829FE8407CE1183E6D4AB003F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:GIF89aL.g.................................................................................................................................3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f......3..f..............3..f.............3..f.........3..3.33.f3..3..3..33.33333f33.33.33.3f.3f33ff3f.3f.3f.3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f3.f33f3ff3.f3.f3.ff.ff3fffff.ff.ff.f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........3..33.3f.3..3.3..f..f3.ff.f..f.f......3..f.............3..f............3..f.............3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f....3.f...........3..f.............3..f..............3..f..........3..33.3f.3..3..3..f..f3.ff.f..f..f......3..f..............3..f.............3..f.........!.......,....L.g........H......*\....#J.H....3j.... C..I...(S.\...0c.I...8s.D....>......A....T...@...B=J5i.C....s..Y."...)Y........Z!......J....v,_.\....20C.I.b......6.{.qZ.....r.c.#=o.(.bi..O.=.uk.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\images\rdmLogo.png (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PNG image data, 1703 x 789, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):36484
                                                                                                                                                                                                          Entropy (8bit):7.826690532591528
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:X4+S5daND8PRZtBKjUr+vkzCE9D44dQM2J/nxm+kAS1KGF:XlGxtEjfczD9lQM4Inl
                                                                                                                                                                                                          MD5:4F169AC52006310BB5956187AF719865
                                                                                                                                                                                                          SHA1:5907E27014D30459102A21BED4BC082C78C1FB6C
                                                                                                                                                                                                          SHA-256:5248E60F5FAA0C281A4872FFEC1F28F2D723FA354E8FE0B4C355FA13E5883884
                                                                                                                                                                                                          SHA-512:E4955D2241C20432CA9DE31553E1CECDE44B59BD5139193D883C341A1CB60606C8C93B57546191B046CAB1D8DC47C55037EE49E97A4A873C30AEF8B590742055
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.PNG........IHDR..............I.L....pHYs..$...$...c.... .IDATx....U\G.7.Sw...F...L...H..p.b"...8...F....@.."."......h.?8.]U.y.b...e.......4...a........z.q:.ye.._F...W.b)........&.hMJ..0..&......x..]G...H)..k.........*.....,.|Y.[.>V.).E.C....s._..F.......4/....%.s.~.`01e3.ga..mD.17.$.t<..&...9"Nz..r.z.q8..Vw[..~|l.y...W....N.w/}.).....l]...EK...........2.W<...g*....4.Q.....w.{6.2.M...)...?v....)..?..SJy...0.g.z..N.Ss?.zr.....].w..w;..X....{....x.~.>..z.h......._.B......b....Rn.wT>.o......?RJyM.4".....N.<.n....hY`.[X.....O....v.....<.3<...5|P..J....p...L4...Z.P*..}.h....)...R..j.gL........,(>.\.O.`F...q..d[.G.E.J....Uc.P..\.b.......U..<.,.z,?.~...8..7v%U*.C`.6.n.....Ti..RL}..f.......eJ.....n.....,".t..6[..>GD...9.).Rc.'uw>.Sg.....|.z..}....Xk.*..6k...n...Z.[..`C.Wb=..*.O7w.)Jp....M.!.p..J)....1....+...|..<.]..\V..........u..R.-.k..nV9.P...7..Xig...S.D\....Khes..P9.M...7..m*......^.S)....o.j....}.{.`...J..e...<x..g@..@;.JXu....p....{.k.v.y.:.)h.?m~`.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-2QNP4.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3838
                                                                                                                                                                                                          Entropy (8bit):5.088460692091686
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:BeuhLvClxA2HwBuE/Yjw/2lg6Y182BoNBdutalj2lxArHw32ly6Y182BoNB6kY0w:BJvl5BuU22QrpE32oQOK2ghdfgBfp
                                                                                                                                                                                                          MD5:F108F9ADD9825EB6AAE9F5297536C2C9
                                                                                                                                                                                                          SHA1:EF4D740B1105D5206978D34792E872D3A8A407E9
                                                                                                                                                                                                          SHA-256:3E7398F9667561DD5FB5CD0A1F5D5D0DF8A7F35D727B0019A21E10961A77B542
                                                                                                                                                                                                          SHA-512:B5B3C624E99C8AC61EB3E0B96F3A36D5ECA484D4BD33235667053CEF26C57FFEF3107859CB38939EB3F999ABF2A59CF91029985D1DDD689EACFBB70211C630E9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<html>..<head>..<script language="JavaScript" type="text/javascript">.... var SCM_Test_User="SCM_Test_Command";.. var SCM_Test_Host="https://localhost:736/SCM/4.0/scm.esp";.// Default......function scm_cmd_post(func, parm) // Post async request and let event do update..{.. var hr = new XMLHttpRequest();.....// Access the onerror event for the XMLHttpRequest object.. hr.onerror = function() {....alert("Error: Failed Accessing Device Interface !!");...}.... hr.open("POST", SCM_Test_Host, true);.... // Set content type header information for sending url encoded variables in the request.. hr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");.... // Access the onreadystatechange event for the XMLHttpRequest object.. hr.onreadystatechange = function() {... if (hr.readyState == 4 && hr.status == 200) {.... var return_data = hr.responseText;.....document.getElementById("txtTestResponse").value = "Async Post Result:\r\n"+return_data;...

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-2QREE.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):43367
                                                                                                                                                                                                          Entropy (8bit):4.531521815386101
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:qxe4deVLSh44rBLEXrGaaNmKS2Cg2sMGgxJTt3g38kos0u6rZjASgLq0w:qxe4DJNmKS2VMNZtuoZH
                                                                                                                                                                                                          MD5:7FA0B7B0DC9284A17618C73FDD20A983
                                                                                                                                                                                                          SHA1:2A2162A4998AC8C3AAE349392E6E9BBF03C9E42E
                                                                                                                                                                                                          SHA-256:44E7EF139E5DFD4EFEE3A806C0C56B45814096CC2183E4E05877FAC5226436B6
                                                                                                                                                                                                          SHA-512:A005D9CED8CBFA903020FFE1E0129F1253B8C7FBE6012884B0C4818F170E9DCE2ED30684FDC353D3ED145FD12FB43E76691F5A49A1128D5AD42AAA1197CE1C06
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <meta http-equiv="X-UA-Compatible" content="IE=edge" />.. <title>ITMS Scanner</title>.. .. <script>.. if(!window.jQuery).. {.. // must be loading this page outside of our index page, need to load jquery.. var link = document.createElement('link');.. link.rel = "stylesheet";.. link.type = "text/css";.. link.href = "css/smoothness/jquery-ui-1.10.4.custom.min.css";.. document.getElementsByTagName('head')[0].appendChild(link);.... var script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-1.11.1.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-ui-1.10.4.custom.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. }..

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-5T3QR.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2999
                                                                                                                                                                                                          Entropy (8bit):3.9357714030301936
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:QEipEr2in2hH6WOtfcHi18SG7EG+WZ4WN83+/pDv6j6dtimCiw4bPL1yrKDbSBv6:HK1FROta08t7E/gbN1pv6u04bPL1ye
                                                                                                                                                                                                          MD5:7DAA7CFF4BDB6A6B4C33AECA089DEBFF
                                                                                                                                                                                                          SHA1:04118F802E9DAAA1EFF20B00E333AA011340856C
                                                                                                                                                                                                          SHA-256:68ED09555E1B0D56AA83887C3F8B086359C337897149BC9C2854373FDCDA75A3
                                                                                                                                                                                                          SHA-512:DC39F36273A4B104708628F6ED3D965BBF778E64671339D200A09B7E80739B8D9FFF88B9C16040BEAAF466EC49A1C64BE36C13B05E8987F0DD4B1FA0CCD9A298
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:...... ..........&... ..............(... ...@...................................................................................................................p...............x................................8..............t@................@..............L.@................C..................p..........L...............L...D...........t....D8..........L....D..........DDDDDD......................................................333330.........x;.....H.........x;....8..........s;...............s....................8p..............4..............................3..p.............;8...............3w..............x..............................................................?....................................................................................?...........?....(... ...@..............................................................................................""".))).UUU.MMM.BBB.999..|..PP........................3...f..........3...33..3f..3...3...3...f...f3..ff..f...f...f

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-9FQMH.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):11622
                                                                                                                                                                                                          Entropy (8bit):4.857450404916044
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:yfH0r8C1rCUXDcHoHl6mHLCMXTBXcSfcxH0:y/0r8QrCUXDael68LCMXFMSfcxH0
                                                                                                                                                                                                          MD5:5459FAA5C92FBC7A4BABDF42DA898D0C
                                                                                                                                                                                                          SHA1:DC869A04188C349EF196FF28712BE5FF688277EA
                                                                                                                                                                                                          SHA-256:2B06B69E50F0A6208494783389A1982B0A37B3F0DDD998BB75A7F99761ED1A3C
                                                                                                                                                                                                          SHA-512:6BE248A7054DF13EF5FD4ABE668C5449C6F1278E1CBAAFF7E7251C605BB7DFF2C6803A1409466A346335BA844A3D8CFCD09DE57E0152C8FDB6C56F533F51FA6F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>Endorsement Settings</title>.. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>.. <script id="endorsementsJS" type="text/javascript">...... var sharedObject;.... function OnEndorseSettingsPageLoad() {.. if (window.showModalDialog) {.. sharedObject = window.dialogArguments;.. }.. else {.. sharedObject = window.opener.GetDialogArguments(); // callback to get object.. }.... var DeviceID = sharedObject.document.getElementById("DeviceID");.. var configXML = "<additionaldata>";.. configXML = configXML + sharedObject.GetScannerConfiguration(DeviceID.options[DeviceID.selectedIndex].value, false);.. configXML = configXML + "</additionaldata>";.. var xmlDoc = $.parseXML(configXML);.... $physicalEndorsement = $(xmlDoc).find("PhysicalEn

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-FQNIF.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with very long lines (608), with CRLF, LF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):25248
                                                                                                                                                                                                          Entropy (8bit):4.535394761469598
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:GxehBcD+eqacKS2MKfeJNzG51IBRXXRuaKlpNAiANMW++Ecq:Gxe/cDGacKS2ri9NBu3Ao
                                                                                                                                                                                                          MD5:41E3D157C9F798864CF43D5D06B1B9B0
                                                                                                                                                                                                          SHA1:A21EEBBBB4731FC3CDDC7D991B0F09DF98CA38E9
                                                                                                                                                                                                          SHA-256:82E4E1E2308985217975220A67F77CA88C5314D6596B936651F1F276C84FE705
                                                                                                                                                                                                          SHA-512:976504083CDA58FE2AEF13B7E8F0F55B37B3AF83AA9A32EAAB0F5282DBA110C8D8B32DF7E270F613113E2B5FC1E2E97CE031F41DD209F438771DA37C28327A37
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>ITMS Download Agent</title>.. .. <script>.. if(!window.jQuery).. {.. // must be loading this page outside of our index page, need to load jquery.. var link = document.createElement('link');.. link.rel = "stylesheet";.. link.type = "text/css";.. link.href = "css/smoothness/jquery-ui-1.10.4.custom.min.css";.. document.getElementsByTagName('head')[0].appendChild(link);.... var script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-1.11.1.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. script = document.createElement('script');.. script.type = "text/javascript";.. script.src = "js/jquery-ui-1.10.4.custom.min.js";.. document.getElementsByTagName('head')[0].appendChild(script);.. }.. </script>.... <script src="js/RDMFileDownload.js

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-HD0RA.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):42675
                                                                                                                                                                                                          Entropy (8bit):4.637657121816673
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:iLFkJLEsm17ztfMlzzCqd3R0WgrOMSKP/3Sx9TbUkcCDESxDME/Ogr+GN5J6eZ36:iLFQyQ394k5DX+/s8FAdVghXFi8NifMF
                                                                                                                                                                                                          MD5:CFE3EFB0072A24800CE4CD451B1908EF
                                                                                                                                                                                                          SHA1:E4E910E982F559E8B98E37C7303DE15DD7B88FEB
                                                                                                                                                                                                          SHA-256:FD62ACB879187BC4754E692109F0A6C4A11CBD0258992AD4159E2A3AB0B27BAE
                                                                                                                                                                                                          SHA-512:198237443B841DDC84BFEC25B79885BBF1B5D49F15783BFE8DE351E4AE72B2276C37D335417E90C549E4E7A9A0C19FFA738C0190864FACBF9BD484DDBEA99783
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!doctype html>.<html lang="en">.<head>. <meta charset="utf-8" />. <meta http-equiv="Content-Type" content="text/html;charset=utf-8">. <meta http-equiv="Cache-control" content="no-store, no-cache, must-revalidate">. <meta name="description" content="SCM SAPI Scanner Test for QE">. <meta name="author" content="Frank McGovern - RDM Corporation a Deluxe Company">. <style>. #RecoveryDiv {. width: 720px;. padding: 5px 0;. text-align: center;. background-color: lightblue;. margin-top: 5px;. }. </style>.. <title>SCM SAPI Scanner Test</title>. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>. <script type="text/javascript" src="js/jquery-ui-1.10.4.custom.min.js"></script>. <script type="text/javascript" src="js/sapi.js"></script>. <script type="text/javascript" src="js/sapiconstants.js"></script>.. <link type="text/css" rel="stylesheet" href="css/qescm.css">.. <s

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-N49S5.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):15622
                                                                                                                                                                                                          Entropy (8bit):4.652831581163575
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:Oz7Ef0HdBrYjW17UKvyP5FUyWUnndXMNMasqve7mwm1Crxyw4:OsSdBrYjW17UKv65FUyWEndXMarZ4
                                                                                                                                                                                                          MD5:4E586642F7781A6E3CAF7898F93F1FED
                                                                                                                                                                                                          SHA1:40B52B3CF2808073270AFBCCA9830BC395062B83
                                                                                                                                                                                                          SHA-256:CDD71A5656EBF218BB2D94457D2930DC79D81F899B2A3D8A3A1634442554F6C8
                                                                                                                                                                                                          SHA-512:6ADB03888A5B2363AD842738AE4D323EF7E712534FFCAE82B5F2E87106A39EADB12D010261258C480821B0EA3543A6937D77046776DF78B020A9C6D34C7E897B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!doctype html>..<html lang="en">..<head>.. <meta charset="utf-8" />.. <title>Additional Settings</title>.. <script type="text/javascript" src="js/jquery-1.11.1.min.js"></script>.. <script id="miscsettingsJS" type="text/javascript">...... var sharedObject;.... function OnMiscSettingsPageLoad() {.. if (window.showModalDialog) {.. sharedObject = window.dialogArguments;.. }.. else {.. sharedObject = window.opener.GetDialogArguments(); // callback to get object.. }.... var DeviceID = sharedObject.document.getElementById("DeviceID");.... // disable any invalid options.. chkWantCodeline.disabled = true;.. chkCropImage.disabled = true;.. var ScannerVendor = sharedObject.document.getElementById("ScannerModel");.. //if (ScannerVendor.value != "SCI") {.. // RemoveSelectByValue("ReturnedImages", "front,rear,auxFront,aux

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\is-U2Q44.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):11222
                                                                                                                                                                                                          Entropy (8bit):4.906615747950895
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:xWv/rVEWWgcGLjqayPyeTb8Ap4gqQ+M8ddspnW:xlnaS7EAR+M8PEnW
                                                                                                                                                                                                          MD5:4404937977A219AE6C282C86BC2E3588
                                                                                                                                                                                                          SHA1:BBF9498F2E2DB853B6FAB2EC8C0D2DE9DC0233E0
                                                                                                                                                                                                          SHA-256:92144E3BD70A3DB922443EDFAAF040083804569FCE67E5A62604BFCEF98EC6BF
                                                                                                                                                                                                          SHA-512:C68B375DBB23BBC5B19C9F0BA439F6F50745F61E3B279ED208D9B8BF58D034DC7DC65A464D7312F66233AB10993684D038FD584C480C4814B942BD3A8B61633F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!DOCTYPE html>..<html language="en">..<head>..<meta charset="utf-8">...<title>RDM - Scanner</title>...<meta name="description" content="Transform your Payments with RDM RDM Corporation is a provider of Remote Deposit Capture (RDC), integrated receivables and payment processing solutions designed to help clients simplify the way they do business.">.. <meta name="author" content="Geoff Culley - RDM Corporation">.... <link rel="stylesheet" href="css/smoothness/jquery-ui-1.10.4.custom.min.css">...<script src="js/jquery-1.11.1.min.js"></script>...<script src="js/jquery-ui-1.10.4.custom.min.js"></script>.... <script>....$(function() { $( "#tabs" ).tabs({active: 1}); });...</script>.... <style>.. .body{.....width: 100%;.. height:100%;...... padding:0;.. margin:0;.....font-family:helvetica,sans-serif;.....background-color:#f2f2f2;....}.... li a{.. outline:none;.. }.... #wrapper{.. min-height:100%;..

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\RDMFileDownload.js (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):9241
                                                                                                                                                                                                          Entropy (8bit):4.8412854529644305
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:PHvbkLqV2m51fnhzHXup/BrdKDqCnql40ORaB:PHTkLz0V+pZrKqv4G
                                                                                                                                                                                                          MD5:95311A989A8D48ED1E283DD2DD5AC784
                                                                                                                                                                                                          SHA1:EE93E11B782726F9B79ACB7B4A71D0EE0323E480
                                                                                                                                                                                                          SHA-256:33D45F327D80F21158D889A444712FB09BB8E382C0D039F7F1656DA5845233D3
                                                                                                                                                                                                          SHA-512:127DD7EB0128A2EEB7A5272CD9D93C61EE864F6647A79504C68043746391CBF586817FE267A273EED1E362213F01ADFD2480CB432FCBE7AE8C668F971A345491
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*.. *.Module to package up a file download and subsequent upload to RDMAppweb for installation... * User only has to call DoFileDownload(url, exceptionHandlerName), where:.. * url = url to download.. * exceptionHandlerName = function name of exception handler that will receive exception response xml. Handler must.. * have the following prototype: exceptionHandlerName(xmlExceptionXMLString).. */......var DF_User = "DA_UserId";..var DF_Host = "https://localhost:736/SCM/4.0/da.esp";..var BYTES_PER_CHUNK = 5000000;..var base64Data = "";..var PB;......// jQuery ajax transport for making binary data type requests...// Use this transport for "binary" data transfers...$.ajaxTransport("+binary", function (options, originalOptions, jqXHR) {.. // check for conditions and support for blob / arraybuffer response type.. if ((options.dataType && (options.dataType == 'binary')) || (options.data && ((window.ArrayBuffer && options.data instanceof ArrayBuffe

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-52ICU.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (32086)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):95786
                                                                                                                                                                                                          Entropy (8bit):5.393689635062045
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:/PEkjP+iADIOr/NEe876nmBu3HvF38sEeLHFoqqhJ7SerN5wVI+xcBmPv7E+nzm6:ENMyqhJvN32cBC7M6Whca98HrB
                                                                                                                                                                                                          MD5:8101D596B2B8FA35FE3A634EA342D7C3
                                                                                                                                                                                                          SHA1:D6C1F41972DE07B09BFA63D2E50F9AB41EC372BD
                                                                                                                                                                                                          SHA-256:540BC6DEC1DD4B92EA4D3FB903F69EABF6D919AFD48F4E312B163C28CFF0F441
                                                                                                                                                                                                          SHA-512:9E1634EB02AB6ACDFD95BF6544EEFA278DFDEC21F55E94522DF2C949FB537A8DFEAB6BCFECF69E6C82C7F53A87F864699CE85F0068EE60C56655339927EEBCDB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){ret

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-5OJL7.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):13945
                                                                                                                                                                                                          Entropy (8bit):4.789463042290839
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:Trx7pT23ki75/23kiiPvom0akcU8jluDQMO3raekNAcGg1Zayn4:hti5uXmHkc3RuDjsf7g1ZaX
                                                                                                                                                                                                          MD5:00EC40C3AA384CC86A58BCCC83CFFD52
                                                                                                                                                                                                          SHA1:BFA37BC76A292F376A2318F2EB43F0B69F7E1A33
                                                                                                                                                                                                          SHA-256:156A7DDBAA02A7DC1BF236EA9E512D72EC84347CD35ECB99CB1793B9B88843D4
                                                                                                                                                                                                          SHA-512:2C61554DF6EA2331FD3E4C1EB56A13FFD7A3953BC7DA4AF5F610D0A72C74DEC80F8A7E7288A86917C826AF3CC1C3D5D83DBBB8791E8B19B65F1B141951726CED
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:// JavaScript source code....var SCMSAPI_USERID = "ScmSapiHtml";..var SAPI_HOST = "https://localhost:736/SCM/4.0/scm.esp";....var _SapiHostUrl = "";....var ResponseStatus = {.. OK: "Ok",.. EXCEPTION: "Exception",.. TIMEOUT: "Timeout"..};....var ExceptionType = {.. ERROR: "Error",.. RECOVERY: "Recovery",.. WARNING: "Warning",.. NOITEM: "NoMoreItems",.. DECISION: "AtDecisionPoint",.. STOP: "UserStopped",.. EVENT: "ScannerEvent"..};....var SapiApi = {.. UseNetworkScannerAppwebUrl: function (serialnumber) {.. _SapiHostUrl = "https://" + "RD" + serialnumber + "/SCM/4.0/scm.esp";.. },.... UseClientAppwebUrl: function () {.. _SapiHostUrl = SAPI_HOST;.. },.... FindScanners: function (parameterobj, callback) {.. SapiApi.PostSapiFunctionObject("FindScanners", parameterobj, callback);.. },.... ActivateScanner: function (parameterobj, callback) {.. SapiApi.PostSapiFunctionObject("ActivateScanner", parameterobj, callback

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-F6B22.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):9241
                                                                                                                                                                                                          Entropy (8bit):4.8412854529644305
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:PHvbkLqV2m51fnhzHXup/BrdKDqCnql40ORaB:PHTkLz0V+pZrKqv4G
                                                                                                                                                                                                          MD5:95311A989A8D48ED1E283DD2DD5AC784
                                                                                                                                                                                                          SHA1:EE93E11B782726F9B79ACB7B4A71D0EE0323E480
                                                                                                                                                                                                          SHA-256:33D45F327D80F21158D889A444712FB09BB8E382C0D039F7F1656DA5845233D3
                                                                                                                                                                                                          SHA-512:127DD7EB0128A2EEB7A5272CD9D93C61EE864F6647A79504C68043746391CBF586817FE267A273EED1E362213F01ADFD2480CB432FCBE7AE8C668F971A345491
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*.. *.Module to package up a file download and subsequent upload to RDMAppweb for installation... * User only has to call DoFileDownload(url, exceptionHandlerName), where:.. * url = url to download.. * exceptionHandlerName = function name of exception handler that will receive exception response xml. Handler must.. * have the following prototype: exceptionHandlerName(xmlExceptionXMLString).. */......var DF_User = "DA_UserId";..var DF_Host = "https://localhost:736/SCM/4.0/da.esp";..var BYTES_PER_CHUNK = 5000000;..var base64Data = "";..var PB;......// jQuery ajax transport for making binary data type requests...// Use this transport for "binary" data transfers...$.ajaxTransport("+binary", function (options, originalOptions, jqXHR) {.. // check for conditions and support for blob / arraybuffer response type.. if ((options.dataType && (options.dataType == 'binary')) || (options.data && ((window.ArrayBuffer && options.data instanceof ArrayBuffe

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-M2K9A.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2254
                                                                                                                                                                                                          Entropy (8bit):5.059274097319649
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:bJKVzATzKtAQCwn7wAqZLQaPIvLIw9IVV2l/+bewb0YwwkWr:bgVz+jwsAqZ6v0w9I/mw9wwVr
                                                                                                                                                                                                          MD5:186A8E49402CB6C7CD54D43A8269DA90
                                                                                                                                                                                                          SHA1:4D3A4F5EA1AB5B4E6DBE0D985600B8383D064A34
                                                                                                                                                                                                          SHA-256:916E73B03B6287D2B125AC610985C6A3A77DEFB48801F86A8EF0E2AF200625FD
                                                                                                                                                                                                          SHA-512:253FF718B7D67BC178FA281FD1EF17EDCFC6135408B1A5061FC76825D269EEBC48404338226DAEC406542FADB1C6103656E7467F11C94620C14CDBE94CAAAA39
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:var STATUS_DISCONNECTED.....= 0;..var STATUS_CONNECTED.....= 1;..var STATUS_CONNECT_ERROR....= 2;..var STATUS_DISCONNECTING....= 3;..var STATUS_CONNECTING.....= 4;..var STATUS_SCANNING......= 5;..var STATUS_SCANNING_ERROR....= 6;..var STATUS_SCANNING_INPUT....= 13;..var STATUS_STOPPING......= 14;..var STATUS_STOPPING_CANCEL....= 15;..var STATUS_STOPPING_HOPPEREMPTY...= 16;..var STATUS_INIT_FAILED.....= 17;..var STATUS_AUTODETECTING....= 18;..// Recovery Code: adding a recovery status..var STATUS_SCANNING_RECOVERY...= 19;..//the constant to track whether Flat bed scanner's cancel button was clicked..var CANCEL_TWAIN_FLATBED = 20;......var SCANNERMODEL_UNKNOWN....= -1;..var SCANNERMODEL_EMPTY.....= -2;..var SCANNERMODEL_EC6000.....= 1;..var SCANNERMODEL_ECSERIES ....= 2;..var SCANNERMODEL_DCC210.....= 4;..var SCANNERMODEL_DCC220.....= 5;..var SCANNERMODEL_DCC350.....= 6;..var SCANNERMODEL_PANINI.....= 7;..var SCANNERMODEL_DCC215.....= 8;..var SCANNERMODEL_DCC230.....= 9;..

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-O233B.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):282944
                                                                                                                                                                                                          Entropy (8bit):5.083336235252651
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:8L7hmFRcHCAkwxc5c84OfkK0alZOVJFpqfzf382b6YI1f8sA20MR:85O4OfgsZcIu1f1AUR
                                                                                                                                                                                                          MD5:3B80424646A7ECDB19273D86800C1AC0
                                                                                                                                                                                                          SHA1:6945741107601D402C70A13CE46EB72FD1168BC8
                                                                                                                                                                                                          SHA-256:CE0343E1D6F489768EEEFE022C12181C6A0822E756239851310ACF076D23D10C
                                                                                                                                                                                                          SHA-512:E68CAB6907368B1598E97BB86F44A788DEA3EF9480AB4A110FD21F280BD6DFA2CEB1DB3BD49A781816D4F78BEF7A333A0B20F0D2715B78516754C98D6E7E190C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*!. * jQuery JavaScript Library v1.11.0. * http://jquery.com/. *. * Includes Sizzle.js. * http://sizzlejs.com/. *. * Copyright 2005, 2014 jQuery Foundation, Inc. and other contributors. * Released under the MIT license. * http://jquery.org/license. *. * Date: 2014-01-23T21:02Z. */..(function( global, factory ) {...if ( typeof module === "object" && typeof module.exports === "object" ) {...// For CommonJS and CommonJS-like environments where a proper window is present,...// execute the factory and get jQuery...// For environments that do not inherently posses a window with a document...// (such as Node.js), expose a jQuery-making factory as module.exports...// This accentuates the need for the creation of a real window...// e.g. var jQuery = require("jquery")(window);...// See ticket #14549 for more info...module.exports = global.document ?....factory( global, true ) :....function( w ) {.....if ( !w.document ) {......throw new Error( "jQuery requires a window with a document" );.....}.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\is-T9MM2.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (64560)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):228539
                                                                                                                                                                                                          Entropy (8bit):5.152646332443805
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:mnhStzLZwyt83OegZBPit/FoCv62jHesF7XWzx9GV1+1/4L9fSz8:gAFx+2UB62besF7XWzx9G
                                                                                                                                                                                                          MD5:202A3D794B47E0CB0638B465301769DD
                                                                                                                                                                                                          SHA1:5395BA95100F253A28143410CB02C58BDC8E6DFF
                                                                                                                                                                                                          SHA-256:FD2A5EDD4D12D6B68A50C69877DB293E83787ACCEA605FF53817FB45F91CAA16
                                                                                                                                                                                                          SHA-512:FAB7F2613D5E0716BDC9532DD638B6005E3828A59917795CBE095E2E12E38B0B2A50DB9FD545B97D3D06325221E01E8C8F5145E413D51CD949D0BD387DA0EB25
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*! jQuery UI - v1.10.4 - 2014-01-19.* http://jqueryui.com.* Includes: jquery.ui.core.js, jquery.ui.widget.js, jquery.ui.mouse.js, jquery.ui.position.js, jquery.ui.draggable.js, jquery.ui.droppable.js, jquery.ui.resizable.js, jquery.ui.selectable.js, jquery.ui.sortable.js, jquery.ui.accordion.js, jquery.ui.autocomplete.js, jquery.ui.button.js, jquery.ui.datepicker.js, jquery.ui.dialog.js, jquery.ui.menu.js, jquery.ui.progressbar.js, jquery.ui.slider.js, jquery.ui.spinner.js, jquery.ui.tabs.js, jquery.ui.tooltip.js, jquery.ui.effect.js, jquery.ui.effect-blind.js, jquery.ui.effect-bounce.js, jquery.ui.effect-clip.js, jquery.ui.effect-drop.js, jquery.ui.effect-explode.js, jquery.ui.effect-fade.js, jquery.ui.effect-fold.js, jquery.ui.effect-highlight.js, jquery.ui.effect-pulsate.js, jquery.ui.effect-scale.js, jquery.ui.effect-shake.js, jquery.ui.effect-slide.js, jquery.ui.effect-transfer.js.* Copyright 2014 jQuery Foundation and other contributors; Licensed MIT */..(function(e,t){function

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\jquery-1.11.0.js (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):282944
                                                                                                                                                                                                          Entropy (8bit):5.083336235252651
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:8L7hmFRcHCAkwxc5c84OfkK0alZOVJFpqfzf382b6YI1f8sA20MR:85O4OfgsZcIu1f1AUR
                                                                                                                                                                                                          MD5:3B80424646A7ECDB19273D86800C1AC0
                                                                                                                                                                                                          SHA1:6945741107601D402C70A13CE46EB72FD1168BC8
                                                                                                                                                                                                          SHA-256:CE0343E1D6F489768EEEFE022C12181C6A0822E756239851310ACF076D23D10C
                                                                                                                                                                                                          SHA-512:E68CAB6907368B1598E97BB86F44A788DEA3EF9480AB4A110FD21F280BD6DFA2CEB1DB3BD49A781816D4F78BEF7A333A0B20F0D2715B78516754C98D6E7E190C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*!. * jQuery JavaScript Library v1.11.0. * http://jquery.com/. *. * Includes Sizzle.js. * http://sizzlejs.com/. *. * Copyright 2005, 2014 jQuery Foundation, Inc. and other contributors. * Released under the MIT license. * http://jquery.org/license. *. * Date: 2014-01-23T21:02Z. */..(function( global, factory ) {...if ( typeof module === "object" && typeof module.exports === "object" ) {...// For CommonJS and CommonJS-like environments where a proper window is present,...// execute the factory and get jQuery...// For environments that do not inherently posses a window with a document...// (such as Node.js), expose a jQuery-making factory as module.exports...// This accentuates the need for the creation of a real window...// e.g. var jQuery = require("jquery")(window);...// See ticket #14549 for more info...module.exports = global.document ?....factory( global, true ) :....function( w ) {.....if ( !w.document ) {......throw new Error( "jQuery requires a window with a document" );.....}.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\jquery-1.11.1.min.js (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (32086)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):95786
                                                                                                                                                                                                          Entropy (8bit):5.393689635062045
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:/PEkjP+iADIOr/NEe876nmBu3HvF38sEeLHFoqqhJ7SerN5wVI+xcBmPv7E+nzm6:ENMyqhJvN32cBC7M6Whca98HrB
                                                                                                                                                                                                          MD5:8101D596B2B8FA35FE3A634EA342D7C3
                                                                                                                                                                                                          SHA1:D6C1F41972DE07B09BFA63D2E50F9AB41EC372BD
                                                                                                                                                                                                          SHA-256:540BC6DEC1DD4B92EA4D3FB903F69EABF6D919AFD48F4E312B163C28CFF0F441
                                                                                                                                                                                                          SHA-512:9E1634EB02AB6ACDFD95BF6544EEFA278DFDEC21F55E94522DF2C949FB537A8DFEAB6BCFECF69E6C82C7F53A87F864699CE85F0068EE60C56655339927EEBCDB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*! jQuery v1.11.1 | (c) 2005, 2014 jQuery Foundation, Inc. | jquery.org/license */.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.1",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0]+|[\s\uFEFF\xA0]+$/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){ret

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\jquery-ui-1.10.4.custom.min.js (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with very long lines (64560)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):228539
                                                                                                                                                                                                          Entropy (8bit):5.152646332443805
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:mnhStzLZwyt83OegZBPit/FoCv62jHesF7XWzx9GV1+1/4L9fSz8:gAFx+2UB62besF7XWzx9G
                                                                                                                                                                                                          MD5:202A3D794B47E0CB0638B465301769DD
                                                                                                                                                                                                          SHA1:5395BA95100F253A28143410CB02C58BDC8E6DFF
                                                                                                                                                                                                          SHA-256:FD2A5EDD4D12D6B68A50C69877DB293E83787ACCEA605FF53817FB45F91CAA16
                                                                                                                                                                                                          SHA-512:FAB7F2613D5E0716BDC9532DD638B6005E3828A59917795CBE095E2E12E38B0B2A50DB9FD545B97D3D06325221E01E8C8F5145E413D51CD949D0BD387DA0EB25
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/*! jQuery UI - v1.10.4 - 2014-01-19.* http://jqueryui.com.* Includes: jquery.ui.core.js, jquery.ui.widget.js, jquery.ui.mouse.js, jquery.ui.position.js, jquery.ui.draggable.js, jquery.ui.droppable.js, jquery.ui.resizable.js, jquery.ui.selectable.js, jquery.ui.sortable.js, jquery.ui.accordion.js, jquery.ui.autocomplete.js, jquery.ui.button.js, jquery.ui.datepicker.js, jquery.ui.dialog.js, jquery.ui.menu.js, jquery.ui.progressbar.js, jquery.ui.slider.js, jquery.ui.spinner.js, jquery.ui.tabs.js, jquery.ui.tooltip.js, jquery.ui.effect.js, jquery.ui.effect-blind.js, jquery.ui.effect-bounce.js, jquery.ui.effect-clip.js, jquery.ui.effect-drop.js, jquery.ui.effect-explode.js, jquery.ui.effect-fade.js, jquery.ui.effect-fold.js, jquery.ui.effect-highlight.js, jquery.ui.effect-pulsate.js, jquery.ui.effect-scale.js, jquery.ui.effect-shake.js, jquery.ui.effect-slide.js, jquery.ui.effect-transfer.js.* Copyright 2014 jQuery Foundation and other contributors; Licensed MIT */..(function(e,t){function

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\sapi.js (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):13945
                                                                                                                                                                                                          Entropy (8bit):4.789463042290839
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:Trx7pT23ki75/23kiiPvom0akcU8jluDQMO3raekNAcGg1Zayn4:hti5uXmHkc3RuDjsf7g1ZaX
                                                                                                                                                                                                          MD5:00EC40C3AA384CC86A58BCCC83CFFD52
                                                                                                                                                                                                          SHA1:BFA37BC76A292F376A2318F2EB43F0B69F7E1A33
                                                                                                                                                                                                          SHA-256:156A7DDBAA02A7DC1BF236EA9E512D72EC84347CD35ECB99CB1793B9B88843D4
                                                                                                                                                                                                          SHA-512:2C61554DF6EA2331FD3E4C1EB56A13FFD7A3953BC7DA4AF5F610D0A72C74DEC80F8A7E7288A86917C826AF3CC1C3D5D83DBBB8791E8B19B65F1B141951726CED
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:// JavaScript source code....var SCMSAPI_USERID = "ScmSapiHtml";..var SAPI_HOST = "https://localhost:736/SCM/4.0/scm.esp";....var _SapiHostUrl = "";....var ResponseStatus = {.. OK: "Ok",.. EXCEPTION: "Exception",.. TIMEOUT: "Timeout"..};....var ExceptionType = {.. ERROR: "Error",.. RECOVERY: "Recovery",.. WARNING: "Warning",.. NOITEM: "NoMoreItems",.. DECISION: "AtDecisionPoint",.. STOP: "UserStopped",.. EVENT: "ScannerEvent"..};....var SapiApi = {.. UseNetworkScannerAppwebUrl: function (serialnumber) {.. _SapiHostUrl = "https://" + "RD" + serialnumber + "/SCM/4.0/scm.esp";.. },.... UseClientAppwebUrl: function () {.. _SapiHostUrl = SAPI_HOST;.. },.... FindScanners: function (parameterobj, callback) {.. SapiApi.PostSapiFunctionObject("FindScanners", parameterobj, callback);.. },.... ActivateScanner: function (parameterobj, callback) {.. SapiApi.PostSapiFunctionObject("ActivateScanner", parameterobj, callback

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\js\sapiconstants.js (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2254
                                                                                                                                                                                                          Entropy (8bit):5.059274097319649
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:bJKVzATzKtAQCwn7wAqZLQaPIvLIw9IVV2l/+bewb0YwwkWr:bgVz+jwsAqZ6v0w9I/mw9wwVr
                                                                                                                                                                                                          MD5:186A8E49402CB6C7CD54D43A8269DA90
                                                                                                                                                                                                          SHA1:4D3A4F5EA1AB5B4E6DBE0D985600B8383D064A34
                                                                                                                                                                                                          SHA-256:916E73B03B6287D2B125AC610985C6A3A77DEFB48801F86A8EF0E2AF200625FD
                                                                                                                                                                                                          SHA-512:253FF718B7D67BC178FA281FD1EF17EDCFC6135408B1A5061FC76825D269EEBC48404338226DAEC406542FADB1C6103656E7467F11C94620C14CDBE94CAAAA39
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:var STATUS_DISCONNECTED.....= 0;..var STATUS_CONNECTED.....= 1;..var STATUS_CONNECT_ERROR....= 2;..var STATUS_DISCONNECTING....= 3;..var STATUS_CONNECTING.....= 4;..var STATUS_SCANNING......= 5;..var STATUS_SCANNING_ERROR....= 6;..var STATUS_SCANNING_INPUT....= 13;..var STATUS_STOPPING......= 14;..var STATUS_STOPPING_CANCEL....= 15;..var STATUS_STOPPING_HOPPEREMPTY...= 16;..var STATUS_INIT_FAILED.....= 17;..var STATUS_AUTODETECTING....= 18;..// Recovery Code: adding a recovery status..var STATUS_SCANNING_RECOVERY...= 19;..//the constant to track whether Flat bed scanner's cancel button was clicked..var CANCEL_TWAIN_FLATBED = 20;......var SCANNERMODEL_UNKNOWN....= -1;..var SCANNERMODEL_EMPTY.....= -2;..var SCANNERMODEL_EC6000.....= 1;..var SCANNERMODEL_ECSERIES ....= 2;..var SCANNERMODEL_DCC210.....= 4;..var SCANNERMODEL_DCC220.....= 5;..var SCANNERMODEL_DCC350.....= 6;..var SCANNERMODEL_PANINI.....= 7;..var SCANNERMODEL_DCC215.....= 8;..var SCANNERMODEL_DCC230.....= 9;..

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\DFD.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2435
                                                                                                                                                                                                          Entropy (8bit):4.800004037117997
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOSZ+Nn/GbibsfAoYTpobLpRN9DIqrMx:ApH/+/WfAoYTpoPpRTIqO
                                                                                                                                                                                                          MD5:B6A092DCF5932F7C4031BBAE214E5377
                                                                                                                                                                                                          SHA1:E4F8530FA9FB9B12166D3F206C34826462751C56
                                                                                                                                                                                                          SHA-256:D0301D852AEF2DE12CDEDD6ABD1E396EA479D39FEA897B09AFBE2767EDE86030
                                                                                                                                                                                                          SHA-512:EBDC0CE7AC5949748C7936788482C8062A0524656C8A0133FBD5AE4E60382271768A0A0F486E717BC44F4BF6CF9FF95FB53F76E8FEA4727671F1322F992C8BE8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>true</DoubleDocDetectEnabled>.. <DoubleDocThreshold></DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\Frank.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2434
                                                                                                                                                                                                          Entropy (8bit):4.802397601214804
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:Ap+OhZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:Ap+M+/WfAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:82A506D9EB608EB4AC1E2C2CA00E6DB5
                                                                                                                                                                                                          SHA1:54AF5F7F8FD9E5290F0A8AA62317D434A8CB7F65
                                                                                                                                                                                                          SHA-256:4AAB4377DCB51C1F367704D2DC8A510DE7256AB1D9D283918E510BA016B34FA3
                                                                                                                                                                                                          SHA-512:252199635D3A1D00B4900E44B6A8B2A714A83F9C21A039CE51F9B767EAD3DBF22870C1D859B109A30EF489B92F19726881A661562179213A4695568FEC7F83E9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\Logo.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2463
                                                                                                                                                                                                          Entropy (8bit):4.8141008898143145
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOhZ+Nn/GbibsfAoYTpoGkpRN9DIqrMx:ApHM+/WfAoYTpoFpRTIqO
                                                                                                                                                                                                          MD5:E9420005FFE39797B269B155679FA57F
                                                                                                                                                                                                          SHA1:C4DF624179BD6929CD6B1AF0041E82FEEB4945A3
                                                                                                                                                                                                          SHA-256:E164855CF50954B1DB75A4E7B26C91A4C702D0BFF67169E97F3F850B70B2F0FD
                                                                                                                                                                                                          SHA-512:F83E51B836E8D6DE9D987C564198B9EB3A7808F07068596026A88DC177F602660014840EF02A612F28EE8656EA2E310E436F85213F4446832E35CB3D55A27FD7
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\PEndorse.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2456
                                                                                                                                                                                                          Entropy (8bit):4.8042428201422025
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOhZ+Nn/GbibvCAoYTpobLpRN9DIqrMx:ApHM+/BCAoYTpoPpRTIqO
                                                                                                                                                                                                          MD5:33953AFFF7BC693F3A43A4FFB8C8F246
                                                                                                                                                                                                          SHA1:B9124EFE18E420340DA9E22031CF8C43694732C3
                                                                                                                                                                                                          SHA-256:D9E02876CF4A30A19DD2C400459D26F99B7D5879EAE89441D71D7B456321703D
                                                                                                                                                                                                          SHA-512:2E234FB45AD94F0AA0001750E76663248ED7DB6CB7160456CBD45E239A53593AA8A758238F195C9479C80BA575D0D422F23714819CFA989F3189791E1F831D0C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\ScanItem.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2435
                                                                                                                                                                                                          Entropy (8bit):4.802539388842096
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOhZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHM+/WfAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:640F7ABB77347ED65E1F1DC5178A39E6
                                                                                                                                                                                                          SHA1:79B78C41A1AB54276871A2779FEB0212673353B7
                                                                                                                                                                                                          SHA-256:96D9D9D4E084E3A613849363639AA2FFFE960F43919A9C582020F1A572DC3948
                                                                                                                                                                                                          SHA-512:D90AB6EDE3D640CDA7FCC6310737D39D4D372E81786F4B5A325D18D07686DC51C621AF1E1D18EA52CD551524C51E13E4E819706FBB76A9AD9527A1557F8D97BB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\StageAccept.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2434
                                                                                                                                                                                                          Entropy (8bit):4.802397601214804
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOeZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHR+/WfAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:450234ED909316D4530B35619DF29748
                                                                                                                                                                                                          SHA1:CCD2BDA1E96B47D516129AE60849354B045DBB48
                                                                                                                                                                                                          SHA-256:4A0CCCB41BE86930D3CAFC7DB21A839152F86EB605F0854616F13992AA7A8A66
                                                                                                                                                                                                          SHA-512:1A3172370F65DA31AFB62C9BE2986540F00B6F3EDE429C3B7EDA6496DEC9000B2423497F0017196B1316A53560300E07D0E052B9FC52A052DD4CD580AFA43CF6
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\StageEndorseFrank.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2448
                                                                                                                                                                                                          Entropy (8bit):4.802566723178274
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:Ap+OeZ+Nn/GbibvdTAoYTpoLLpRN9DIqrMx:Ap+R+/BBAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:D105186A9CBE53E2066F626F74BD3D40
                                                                                                                                                                                                          SHA1:87FC9988608C3F957E8A11235AB1A92ACC116AD5
                                                                                                                                                                                                          SHA-256:5710B45A359AE70D86C1A83F402282F33EADD60DD3E376CD1B19A46223318447
                                                                                                                                                                                                          SHA-512:B8ACAA948FAF0B08D2EAF55BCC50A273E0D56180F7A55E2A805C9113270936BF3790A30E73DDEFDABC7DADBF22DB0F146F7CB068EB198BBB7BAFF2499EB60224
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\StageFrank.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2433
                                                                                                                                                                                                          Entropy (8bit):4.802174027638217
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:Ap+OeZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:Ap+R+/WfAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:3D487B9E931A89A3CE3D2C2A7B988F6B
                                                                                                                                                                                                          SHA1:82316073F4C52EF1CAF3C52B1F6DAD0CF15807A4
                                                                                                                                                                                                          SHA-256:9A7A50123C14825FEE2D1A9603626A84B19ADAB889741CA9775EF8E9829620B7
                                                                                                                                                                                                          SHA-512:FE1FEFF24FB20E4AF5447D481BA74AE4CA19DDF18F5D557CA33258F5EB6CBD95923CC9DE63E352711A3BA37F72543275CE6B83453945B79C3DF36E4AEB160A8B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\StagePEndorse.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2449
                                                                                                                                                                                                          Entropy (8bit):4.802855095023468
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOeZ+Nn/GbibvdTAoYTpoLLpRN9DIqrMx:ApHR+/BBAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:6A5A5F89B38F524FE3413FF11AC15AA0
                                                                                                                                                                                                          SHA1:42B43B77B233F2651E41B8DDD29B832EE1E0E994
                                                                                                                                                                                                          SHA-256:34F69AADAEBEF3C1956F50E1377E64A2843FE070B55E280D5CDA57CC39BAD76D
                                                                                                                                                                                                          SHA-512:A304002DAF889C51522F0940A39E04B2AB16536E8FFD14D4BBC73A096F71ADC80CE8AD3CA257BB378AE1BC698D7FF436091FF27A34DDA5463C796D2ABA3D829C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\StageReject.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2434
                                                                                                                                                                                                          Entropy (8bit):4.801355246563097
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOtZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHS+/WfAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:96D7F86F2424FB3C81DFA941BF2B06C7
                                                                                                                                                                                                          SHA1:0B7F2675B0EDEA524C54434C6478706BFCBC6C18
                                                                                                                                                                                                          SHA-256:89A26AFCAB8D83AF5AE90EFE8B2DE68633FF61066EF5ABAC4640E720067A39B8
                                                                                                                                                                                                          SHA-512:F330DA55092C629464684C13742DFC9736B05950EE5F4C21578050E286293F8AC44745A311EA34481AE139BE908EC6C8F9BF14CC07269E23BBE4FA3A06B196FC
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>0</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\Test_Default.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2809
                                                                                                                                                                                                          Entropy (8bit):5.00659219460721
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:AGrN2Z5NonPbibwKY2osKu2oJRjkKKS2RNBBIAqrMx:AGrEpGfKY2osKu2oJRjkrS2R2AqO
                                                                                                                                                                                                          MD5:C300DDAF230F3789ADC4DC805229245D
                                                                                                                                                                                                          SHA1:7E80DA3FA76D8BD7893B8A9FF59F81010D5E5F7D
                                                                                                                                                                                                          SHA-256:12F68599A82951D345E1AFE8298259389BC43DDC2E908BAACD6A355AE0945570
                                                                                                                                                                                                          SHA-512:CDA4B9D1A0D54FF8EE657067C963D464414A3BCB67187DBB56EB833405515A14449F3763B8BC812ED2B299CD01E67207731C6B3D48DE71666F88F8B6A83A3240
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal[imgonly|card|msr]</ScanningMode>.. <FrankingEnabled>false[true]</FrankingEnabled>.. <WantCodeline>true[false]</WantCodeline>.. <ReturnedImages>front[,rear]</ReturnedImages>.. <StageDocuments>false[true]</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>true[false]</DoubleDocDetectEnabled>.. <DoubleDocThreshold>[value from 0-100]</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true[false]</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW[Gray|Color]</Color>.. <Compression>G4[JPEG|None]</Compression>.. <Format>RAW[TIFF|MULTITIFF|BMP|DIB]</Format>.. <DPI>200[100,300,600]</DPI>.. <CropImage>Yes[No]</CropImage>.. <ImageSizeT

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\VEndorse.xml (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2455
                                                                                                                                                                                                          Entropy (8bit):4.801955747824934
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOhZ+Nn/GbibsfAojspobLpRN9DIqrMx:ApHM+/WfAojspoPpRTIqO
                                                                                                                                                                                                          MD5:8AA824E7A317631798B2AC260F01DA51
                                                                                                                                                                                                          SHA1:7767B02B382D7923AD53A893139C7F4E4FBCCB96
                                                                                                                                                                                                          SHA-256:AE40FA98A38A4712BF3D702788FA25F2320D5F94D558CA1788F4C08A060F381B
                                                                                                                                                                                                          SHA-512:90A84D159026746969AD5259170EE02F5FBBDC95A270734151270DE8F4B11AB4B2D6734E15F3A775444597DA938ACB7B688905954D77DA12E7FA9071958E768A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-078MP.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2434
                                                                                                                                                                                                          Entropy (8bit):4.802397601214804
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOeZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHR+/WfAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:450234ED909316D4530B35619DF29748
                                                                                                                                                                                                          SHA1:CCD2BDA1E96B47D516129AE60849354B045DBB48
                                                                                                                                                                                                          SHA-256:4A0CCCB41BE86930D3CAFC7DB21A839152F86EB605F0854616F13992AA7A8A66
                                                                                                                                                                                                          SHA-512:1A3172370F65DA31AFB62C9BE2986540F00B6F3EDE429C3B7EDA6496DEC9000B2423497F0017196B1316A53560300E07D0E052B9FC52A052DD4CD580AFA43CF6
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-8T5SB.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2449
                                                                                                                                                                                                          Entropy (8bit):4.802855095023468
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOeZ+Nn/GbibvdTAoYTpoLLpRN9DIqrMx:ApHR+/BBAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:6A5A5F89B38F524FE3413FF11AC15AA0
                                                                                                                                                                                                          SHA1:42B43B77B233F2651E41B8DDD29B832EE1E0E994
                                                                                                                                                                                                          SHA-256:34F69AADAEBEF3C1956F50E1377E64A2843FE070B55E280D5CDA57CC39BAD76D
                                                                                                                                                                                                          SHA-512:A304002DAF889C51522F0940A39E04B2AB16536E8FFD14D4BBC73A096F71ADC80CE8AD3CA257BB378AE1BC698D7FF436091FF27A34DDA5463C796D2ABA3D829C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-8TGEH.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2455
                                                                                                                                                                                                          Entropy (8bit):4.801955747824934
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOhZ+Nn/GbibsfAojspobLpRN9DIqrMx:ApHM+/WfAojspoPpRTIqO
                                                                                                                                                                                                          MD5:8AA824E7A317631798B2AC260F01DA51
                                                                                                                                                                                                          SHA1:7767B02B382D7923AD53A893139C7F4E4FBCCB96
                                                                                                                                                                                                          SHA-256:AE40FA98A38A4712BF3D702788FA25F2320D5F94D558CA1788F4C08A060F381B
                                                                                                                                                                                                          SHA-512:90A84D159026746969AD5259170EE02F5FBBDC95A270734151270DE8F4B11AB4B2D6734E15F3A775444597DA938ACB7B688905954D77DA12E7FA9071958E768A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-F4R42.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2463
                                                                                                                                                                                                          Entropy (8bit):4.8141008898143145
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOhZ+Nn/GbibsfAoYTpoGkpRN9DIqrMx:ApHM+/WfAoYTpoFpRTIqO
                                                                                                                                                                                                          MD5:E9420005FFE39797B269B155679FA57F
                                                                                                                                                                                                          SHA1:C4DF624179BD6929CD6B1AF0041E82FEEB4945A3
                                                                                                                                                                                                          SHA-256:E164855CF50954B1DB75A4E7B26C91A4C702D0BFF67169E97F3F850B70B2F0FD
                                                                                                                                                                                                          SHA-512:F83E51B836E8D6DE9D987C564198B9EB3A7808F07068596026A88DC177F602660014840EF02A612F28EE8656EA2E310E436F85213F4446832E35CB3D55A27FD7
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-FI1T7.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2456
                                                                                                                                                                                                          Entropy (8bit):4.8042428201422025
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOhZ+Nn/GbibvCAoYTpobLpRN9DIqrMx:ApHM+/BCAoYTpoPpRTIqO
                                                                                                                                                                                                          MD5:33953AFFF7BC693F3A43A4FFB8C8F246
                                                                                                                                                                                                          SHA1:B9124EFE18E420340DA9E22031CF8C43694732C3
                                                                                                                                                                                                          SHA-256:D9E02876CF4A30A19DD2C400459D26F99B7D5879EAE89441D71D7B456321703D
                                                                                                                                                                                                          SHA-512:2E234FB45AD94F0AA0001750E76663248ED7DB6CB7160456CBD45E239A53593AA8A758238F195C9479C80BA575D0D422F23714819CFA989F3189791E1F831D0C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-H2AR4.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2809
                                                                                                                                                                                                          Entropy (8bit):5.00659219460721
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:AGrN2Z5NonPbibwKY2osKu2oJRjkKKS2RNBBIAqrMx:AGrEpGfKY2osKu2oJRjkrS2R2AqO
                                                                                                                                                                                                          MD5:C300DDAF230F3789ADC4DC805229245D
                                                                                                                                                                                                          SHA1:7E80DA3FA76D8BD7893B8A9FF59F81010D5E5F7D
                                                                                                                                                                                                          SHA-256:12F68599A82951D345E1AFE8298259389BC43DDC2E908BAACD6A355AE0945570
                                                                                                                                                                                                          SHA-512:CDA4B9D1A0D54FF8EE657067C963D464414A3BCB67187DBB56EB833405515A14449F3763B8BC812ED2B299CD01E67207731C6B3D48DE71666F88F8B6A83A3240
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal[imgonly|card|msr]</ScanningMode>.. <FrankingEnabled>false[true]</FrankingEnabled>.. <WantCodeline>true[false]</WantCodeline>.. <ReturnedImages>front[,rear]</ReturnedImages>.. <StageDocuments>false[true]</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>true[false]</DoubleDocDetectEnabled>.. <DoubleDocThreshold>[value from 0-100]</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true[false]</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW[Gray|Color]</Color>.. <Compression>G4[JPEG|None]</Compression>.. <Format>RAW[TIFF|MULTITIFF|BMP|DIB]</Format>.. <DPI>200[100,300,600]</DPI>.. <CropImage>Yes[No]</CropImage>.. <ImageSizeT

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-L4H79.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2435
                                                                                                                                                                                                          Entropy (8bit):4.802539388842096
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOhZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHM+/WfAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:640F7ABB77347ED65E1F1DC5178A39E6
                                                                                                                                                                                                          SHA1:79B78C41A1AB54276871A2779FEB0212673353B7
                                                                                                                                                                                                          SHA-256:96D9D9D4E084E3A613849363639AA2FFFE960F43919A9C582020F1A572DC3948
                                                                                                                                                                                                          SHA-512:D90AB6EDE3D640CDA7FCC6310737D39D4D372E81786F4B5A325D18D07686DC51C621AF1E1D18EA52CD551524C51E13E4E819706FBB76A9AD9527A1557F8D97BB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorse

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-P0KRM.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2434
                                                                                                                                                                                                          Entropy (8bit):4.802397601214804
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:Ap+OhZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:Ap+M+/WfAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:82A506D9EB608EB4AC1E2C2CA00E6DB5
                                                                                                                                                                                                          SHA1:54AF5F7F8FD9E5290F0A8AA62317D434A8CB7F65
                                                                                                                                                                                                          SHA-256:4AAB4377DCB51C1F367704D2DC8A510DE7256AB1D9D283918E510BA016B34FA3
                                                                                                                                                                                                          SHA-512:252199635D3A1D00B4900E44B6A8B2A714A83F9C21A039CE51F9B767EAD3DBF22870C1D859B109A30EF489B92F19726881A661562179213A4695568FEC7F83E9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-PP0V3.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2434
                                                                                                                                                                                                          Entropy (8bit):4.801355246563097
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOtZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:ApHS+/WfAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:96D7F86F2424FB3C81DFA941BF2B06C7
                                                                                                                                                                                                          SHA1:0B7F2675B0EDEA524C54434C6478706BFCBC6C18
                                                                                                                                                                                                          SHA-256:89A26AFCAB8D83AF5AE90EFE8B2DE68633FF61066EF5ABAC4640E720067A39B8
                                                                                                                                                                                                          SHA-512:F330DA55092C629464684C13742DFC9736B05950EE5F4C21578050E286293F8AC44745A311EA34481AE139BE908EC6C8F9BF14CC07269E23BBE4FA3A06B196FC
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>0</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorsem

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-Q4M4R.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2435
                                                                                                                                                                                                          Entropy (8bit):4.800004037117997
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:ApHOSZ+Nn/GbibsfAoYTpobLpRN9DIqrMx:ApH/+/WfAoYTpoPpRTIqO
                                                                                                                                                                                                          MD5:B6A092DCF5932F7C4031BBAE214E5377
                                                                                                                                                                                                          SHA1:E4F8530FA9FB9B12166D3F206C34826462751C56
                                                                                                                                                                                                          SHA-256:D0301D852AEF2DE12CDEDD6ABD1E396EA479D39FEA897B09AFBE2767EDE86030
                                                                                                                                                                                                          SHA-512:EBDC0CE7AC5949748C7936788482C8062A0524656C8A0133FBD5AE4E60382271768A0A0F486E717BC44F4BF6CF9FF95FB53F76E8FEA4727671F1322F992C8BE8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>false</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>false</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>true</DoubleDocDetectEnabled>.. <DoubleDocThreshold></DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-RA1GR.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2433
                                                                                                                                                                                                          Entropy (8bit):4.802174027638217
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:Ap+OeZ+Nn/GbibsfAoYTpoLLpRN9DIqrMx:Ap+R+/WfAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:3D487B9E931A89A3CE3D2C2A7B988F6B
                                                                                                                                                                                                          SHA1:82316073F4C52EF1CAF3C52B1F6DAD0CF15807A4
                                                                                                                                                                                                          SHA-256:9A7A50123C14825FEE2D1A9603626A84B19ADAB889741CA9775EF8E9829620B7
                                                                                                                                                                                                          SHA-512:FE1FEFF24FB20E4AF5447D481BA74AE4CA19DDF18F5D557CA33258F5EB6CBD95923CC9DE63E352711A3BA37F72543275CE6B83453945B79C3DF36E4AEB160A8B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\sapisettings\is-VPSMJ.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):2448
                                                                                                                                                                                                          Entropy (8bit):4.802566723178274
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:Ap+OeZ+Nn/GbibvdTAoYTpoLLpRN9DIqrMx:Ap+R+/BBAoYTpo/pRTIqO
                                                                                                                                                                                                          MD5:D105186A9CBE53E2066F626F74BD3D40
                                                                                                                                                                                                          SHA1:87FC9988608C3F957E8A11235AB1A92ACC116AD5
                                                                                                                                                                                                          SHA-256:5710B45A359AE70D86C1A83F402282F33EADD60DD3E376CD1B19A46223318447
                                                                                                                                                                                                          SHA-512:B8ACAA948FAF0B08D2EAF55BCC50A273E0D56180F7A55E2A805C9113270936BF3790A30E73DDEFDABC7DADBF22DB0F146F7CB068EB198BBB7BAFF2499EB60224
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<parameters>.. <deviceId>0</deviceId>.. <Scanning>.. <ScanningMode>normal</ScanningMode>.. <FrankingEnabled>true</FrankingEnabled>.. <WantCodeline>true</WantCodeline>.. <ReturnedImages>front,rear</ReturnedImages>.. <StageDocuments>true</StageDocuments>.. <MaxDocumentWidth>9000</MaxDocumentWidth>.. <MaxDocumentHeight>4000</MaxDocumentHeight>.. <DoubleDocDetectEnabled>false</DoubleDocDetectEnabled>.. <DoubleDocThreshold>0</DoubleDocThreshold>.. <DocPocket>1</DocPocket>.. </Scanning>.. <TwainOptions>.. <HWCropAndDeskewEnabled>true</HWCropAndDeskewEnabled>.. </TwainOptions>.. <ImageOptions>.. <Color>BW</Color>.. <Compression>G4</Compression>.. <Format>RAW</Format>.. <DPI>200</DPI>.. <CropImage>Yes</CropImage>.. <ImageSizeTolerance>25</ImageSizeTolerance>.. <ImageQualityThreshold>5</ImageQualityThreshold>.. </ImageOptions>.. <PhysicalEndorseme

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\RDM Appweb\web\scmindex.html (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:HTML document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):11222
                                                                                                                                                                                                          Entropy (8bit):4.906615747950895
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:xWv/rVEWWgcGLjqayPyeTb8Ap4gqQ+M8ddspnW:xlnaS7EAR+M8PEnW
                                                                                                                                                                                                          MD5:4404937977A219AE6C282C86BC2E3588
                                                                                                                                                                                                          SHA1:BBF9498F2E2DB853B6FAB2EC8C0D2DE9DC0233E0
                                                                                                                                                                                                          SHA-256:92144E3BD70A3DB922443EDFAAF040083804569FCE67E5A62604BFCEF98EC6BF
                                                                                                                                                                                                          SHA-512:C68B375DBB23BBC5B19C9F0BA439F6F50745F61E3B279ED208D9B8BF58D034DC7DC65A464D7312F66233AB10993684D038FD584C480C4814B942BD3A8B61633F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<!DOCTYPE html>..<html language="en">..<head>..<meta charset="utf-8">...<title>RDM - Scanner</title>...<meta name="description" content="Transform your Payments with RDM RDM Corporation is a provider of Remote Deposit Capture (RDC), integrated receivables and payment processing solutions designed to help clients simplify the way they do business.">.. <meta name="author" content="Geoff Culley - RDM Corporation">.... <link rel="stylesheet" href="css/smoothness/jquery-ui-1.10.4.custom.min.css">...<script src="js/jquery-1.11.1.min.js"></script>...<script src="js/jquery-ui-1.10.4.custom.min.js"></script>.... <script>....$(function() { $( "#tabs" ).tabs({active: 1}); });...</script>.... <style>.. .body{.....width: 100%;.. height:100%;...... padding:0;.. margin:0;.....font-family:helvetica,sans-serif;.....background-color:#f2f2f2;....}.... li a{.. outline:none;.. }.... #wrapper{.. min-height:100%;..

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\is-SAE1N.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):733349
                                                                                                                                                                                                          Entropy (8bit):6.506487301120614
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:RsMLIMoi3rPR37dzHRA6nX0D9OKWbO7SERb5rNUK1bce0zyx9zk:yMcMoi3rPR37dzHRA6G7WbuSEmK50zy0
                                                                                                                                                                                                          MD5:9C0680C10EA44E4F9A2A461D4260E6D3
                                                                                                                                                                                                          SHA1:DEB400C82E04CC49DE0AB4B8816723D29ED5CF7C
                                                                                                                                                                                                          SHA-256:123D677281EB988B2B7BA053781B6AE71A88BC9EA71D4695E109AD81765CB0B0
                                                                                                                                                                                                          SHA-512:EA25EAB767CF4668F66CB5CE199BDACC24C1F569DB6F023DCBB5449796C664A994438149CE6319396B999F72928C8D04A6AA8B2E3EB601C67524F15A4F49EA31
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................h....................@.......................................@......@...............................&.......+...................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc....+.......,..................@..P.....................r..............@..P........................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\unins000.dat

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:InnoSetup Log RDM Appweb, version 0x30, 8816 bytes, 571345\user, "C:\Program Files (x86)\RDM Corporation\RDM Appweb"
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):8816
                                                                                                                                                                                                          Entropy (8bit):5.023484229336132
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:3wdm64kQ5m73ihQP0ZBRPbRevyvz5v6ic44cVSQs0zsnpDwrhL7Z9a77phKT8E8B:3MIQPKBReQ5IcVSQinU7Ta77phKc
                                                                                                                                                                                                          MD5:AF95782D2B6305FB775BA7C58AA8DB7D
                                                                                                                                                                                                          SHA1:E4CE16E48FA5DEC1B6571928288A31B119FCF71B
                                                                                                                                                                                                          SHA-256:8C31E32031F0CC6DEACA510A8B5A1DBB416AE8C2B587712F2435505076FB6D84
                                                                                                                                                                                                          SHA-512:0261D9FD105844914FB7FE2E07D22A800545F88CB31EABB3EB7DA468A4717691EF1D3A29CCEE5DD0BD787AABA4453AA30E39DC18FE66EF33DE63D7B27CE181D9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:Inno Setup Uninstall Log (b)....................................RDM Appweb......................................................................................................................RDM Appweb......................................................................................................................0...4...p"..%...............................................................................................................n.O:........_.........Q....571345.user1C:\Program Files (x86)\RDM Corporation\RDM Appweb.............4.X.. ............IFPS.............................................................................................................BOOLEAN.......................................................................................!MAIN....-1.............ADDPATH....-1 @8 @8..ISADMINLOGGEDON.......ISPOWERUSERLOGGEDON.......REGVALUEEXISTS..........REGQUERYSTRINGVALUE...........POS.........SETARRAYLENGTH.......COPY..........LENGTH........ISUNINSTALLER.......R

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\Uninstall\RDM_APPWEB\unins000.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):733349
                                                                                                                                                                                                          Entropy (8bit):6.506487301120614
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:RsMLIMoi3rPR37dzHRA6nX0D9OKWbO7SERb5rNUK1bce0zyx9zk:yMcMoi3rPR37dzHRA6G7WbuSEmK50zy0
                                                                                                                                                                                                          MD5:9C0680C10EA44E4F9A2A461D4260E6D3
                                                                                                                                                                                                          SHA1:DEB400C82E04CC49DE0AB4B8816723D29ED5CF7C
                                                                                                                                                                                                          SHA-256:123D677281EB988B2B7BA053781B6AE71A88BC9EA71D4695E109AD81765CB0B0
                                                                                                                                                                                                          SHA-512:EA25EAB767CF4668F66CB5CE199BDACC24C1F569DB6F023DCBB5449796C664A994438149CE6319396B999F72928C8D04A6AA8B2E3EB601C67524F15A4F49EA31
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................h....................@.......................................@......@...............................&.......+...................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc....+.......,..................@..P.....................r..............@..P........................................................................................................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\is-R0CGS.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3131328
                                                                                                                                                                                                          Entropy (8bit):6.377177227761894
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:FEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF33383:J92bz2Eb6pd7B6bAGx7b333Y
                                                                                                                                                                                                          MD5:895924B96B8B7BC52781E921E0AB93B8
                                                                                                                                                                                                          SHA1:3574ED0904E9386F602E181592F3DCF951A4F36B
                                                                                                                                                                                                          SHA-256:8CAC9F851CF868D6764058F43CC63DADF6CF7964D12E45367156AC4F7626AD55
                                                                                                                                                                                                          SHA-512:C8FF044AACB9E21BD211F0946FCF78222543CFBA0266D026831D35ADB21109A84132485A91BA9E0333EC2856F82D22EDDE1BE7251D2EA5FEA535709E85CD43CF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0.....A.0...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\unins000.dat

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:InnoSetup Log RDM Download Agent 4.0.4.0 {2A5E899A-C6CB-4617-A67C-756CA37B36B0}, version 0x418, 45625 bytes, 571345\37\user\376, C:\Program Files (x86)\RDM Corporation\376
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):45625
                                                                                                                                                                                                          Entropy (8bit):4.00520226694423
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:kr37+HmH+NjxHvrxncjou08GN6CkNOMndfGzbf0GyyUB20A7AFbmOkY:u7omH+NjxHvrxncjr08GN6CkNOMndfuK
                                                                                                                                                                                                          MD5:043E500FB4038F6EEFEEA772B4DE7532
                                                                                                                                                                                                          SHA1:C78BC0D441C7220E3CD7D77069AE9C407C87F40E
                                                                                                                                                                                                          SHA-256:40C1E144D4EE3A07E4EBA641796E2A344C2059ABBD6D8C7A0F4A04143E694C40
                                                                                                                                                                                                          SHA-512:05575BEC50E9822873F077604DF1E2D20EFCBC6D4E357F01C08A7DDE78511AF09330A190A7B1A2728C5D732C547EAF50DA93B138AAF8747A8D9C71CF69D71CA9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:Inno Setup Uninstall Log (b)....................................{2A5E899A-C6CB-4617-A67C-756CA37B36B0}..........................................................................................RDM Download Agent 4.0.4.0..........................................................................................................Y...9......................................................................................................................V.........y................5.7.1.3.4.5......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.R.D.M. .C.o.r.p.o.r.a.t.i.o.n..................2.... ......t.......IFPS....,...d....................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TNEWSTATICTEXT....TNEWSTATICTEXT.........TNEW

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\unins000.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3131328
                                                                                                                                                                                                          Entropy (8bit):6.377177227761894
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:FEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF33383:J92bz2Eb6pd7B6bAGx7b333Y
                                                                                                                                                                                                          MD5:895924B96B8B7BC52781E921E0AB93B8
                                                                                                                                                                                                          SHA1:3574ED0904E9386F602E181592F3DCF951A4F36B
                                                                                                                                                                                                          SHA-256:8CAC9F851CF868D6764058F43CC63DADF6CF7964D12E45367156AC4F7626AD55
                                                                                                                                                                                                          SHA-512:C8FF044AACB9E21BD211F0946FCF78222543CFBA0266D026831D35ADB21109A84132485A91BA9E0333EC2856F82D22EDDE1BE7251D2EA5FEA535709E85CD43CF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0.....A.0...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_DA_Install\unins000.msg

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:InnoSetup messages, version 6.0.0, 261 messages (UTF-16), Cancel installation
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):24097
                                                                                                                                                                                                          Entropy (8bit):3.2749730459064845
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:b1EjNSCkf3SCqsTr6CCPanAG1tznL7VF+Iqfc51U5YQDztXfbKJG/Bfvo:b1EK6CHr6fSX+7Q1U5YQDztB/B3o
                                                                                                                                                                                                          MD5:313D0CC5D1A64D2565E35937991775A6
                                                                                                                                                                                                          SHA1:B8ACB11878C485865C9E4679248E53B83A8F3AD4
                                                                                                                                                                                                          SHA-256:5ED0233C0922E9F20307315E24B4F33C3D56AB9F42B2F75AE91E7A27FD313B66
                                                                                                                                                                                                          SHA-512:7C2DB4A3A4A8DF09F8119A7BA4CA9EBFE562F0A34D431928344E21A5853931EEFBFD910DC4026C6788AC22423BBB125F2B700326D8A1D82B134E2B486C3D0684
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:Inno Setup Messages (6.0.0) (u)......................................]..+..... .C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_SCM_Support\is-NU2T0.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3131344
                                                                                                                                                                                                          Entropy (8bit):6.377169247154071
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:8EA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF3338u:892bz2Eb6pd7B6bAGx7b333J
                                                                                                                                                                                                          MD5:9ECEDBF75204AF13FD44FEE9708AD1A1
                                                                                                                                                                                                          SHA1:3228B4C4281EAD90E8CBEAE44944A695484809BE
                                                                                                                                                                                                          SHA-256:91918F711F94703DB4ECFD02582DB2856B718BDEA6B31410D92C002F54806896
                                                                                                                                                                                                          SHA-512:3CF1DC3B96F217D5C1ED8109041CA8BA2D4F1FB07EEA86CF5208F2905F598FB537DDBEF21A5C67D3857A0EF747F8E6DE950C77E8D62333F66024C58055F018BB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0.....I.0...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_SCM_Support\unins000.dat

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:InnoSetup Log RDM Scanner Control Manager 4.0.3.1 {2A5E799A-C6CB-4617-A67C-756CA37B36B0}, version 0x418, 40489 bytes, 571345\37\user\376, C:\Program Files (x86)\RDM Corporation\376
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):40489
                                                                                                                                                                                                          Entropy (8bit):4.007293632968892
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:Jq6A8dAKMNjxHvrxncRou08GN6CkNO3bjUvfVksl//:pNAKMNjxHvrxncRr08GN6CkNtvfVkslX
                                                                                                                                                                                                          MD5:B650F04E976F5C26A21E77769575CDD6
                                                                                                                                                                                                          SHA1:A720991AF60DB6478C0EAEDB48C80AAF131ADEEA
                                                                                                                                                                                                          SHA-256:E33CCFA9F1854C2799A65CE9296B523E8662DE46DCABFD565BEDB9DEB4A9029B
                                                                                                                                                                                                          SHA-512:A02FB91AF8471CBD12C04997F74771AFAD9112BA81F1850E72BD83A3D657E33C75940B4871C3A9E6C1C973C48D716F7F9C1DABF298FA260F76C7AB73E0A75FF1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:Inno Setup Uninstall Log (b)....................................{2A5E799A-C6CB-4617-A67C-756CA37B36B0}..........................................................................................RDM Scanner Control Manager 4.0.3.1.................................................................................................N...).....................................................................................................................(.........F..................5.7.1.3.4.5......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.R.D.M. .C.o.r.p.o.r.a.t.i.o.n....................... .....2j.......IFPS........h....................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TNEWSTATICTEXT....TNEWSTATICTEXT.........TNEW

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_SCM_Support\unins000.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3131344
                                                                                                                                                                                                          Entropy (8bit):6.377169247154071
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:8EA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF3338u:892bz2Eb6pd7B6bAGx7b333J
                                                                                                                                                                                                          MD5:9ECEDBF75204AF13FD44FEE9708AD1A1
                                                                                                                                                                                                          SHA1:3228B4C4281EAD90E8CBEAE44944A695484809BE
                                                                                                                                                                                                          SHA-256:91918F711F94703DB4ECFD02582DB2856B718BDEA6B31410D92C002F54806896
                                                                                                                                                                                                          SHA-512:3CF1DC3B96F217D5C1ED8109041CA8BA2D4F1FB07EEA86CF5208F2905F598FB537DDBEF21A5C67D3857A0EF747F8E6DE950C77E8D62333F66024C58055F018BB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0.....I.0...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                                          C:\Program Files (x86)\RDM Corporation\Uninstall\WIN_SCM_Support\unins000.msg

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:InnoSetup messages, version 6.0.0, 261 messages (UTF-16), Cancel installation
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):24097
                                                                                                                                                                                                          Entropy (8bit):3.2749730459064845
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:b1EjNSCkf3SCqsTr6CCPanAG1tznL7VF+Iqfc51U5YQDztXfbKJG/Bfvo:b1EK6CHr6fSX+7Q1U5YQDztB/B3o
                                                                                                                                                                                                          MD5:313D0CC5D1A64D2565E35937991775A6
                                                                                                                                                                                                          SHA1:B8ACB11878C485865C9E4679248E53B83A8F3AD4
                                                                                                                                                                                                          SHA-256:5ED0233C0922E9F20307315E24B4F33C3D56AB9F42B2F75AE91E7A27FD313B66
                                                                                                                                                                                                          SHA-512:7C2DB4A3A4A8DF09F8119A7BA4CA9EBFE562F0A34D431928344E21A5853931EEFBFD910DC4026C6788AC22423BBB125F2B700326D8A1D82B134E2B486C3D0684
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:Inno Setup Messages (6.0.0) (u)......................................]..+..... .C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.

                                                                                                                                                                                                          C:\Program Files\Mozilla Firefox\defaults\pref\firefox-windows-truststore.js (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):103
                                                                                                                                                                                                          Entropy (8bit):4.493835447768373
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
                                                                                                                                                                                                          MD5:9556062A739F56D168C1581A11192A17
                                                                                                                                                                                                          SHA1:81EE37E3990A004B9F50CBE99D512A5A5247AA90
                                                                                                                                                                                                          SHA-256:D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
                                                                                                                                                                                                          SHA-512:57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                                          C:\Program Files\Mozilla Firefox\defaults\pref\is-AJNE0.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):90
                                                                                                                                                                                                          Entropy (8bit):4.4385634049235
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
                                                                                                                                                                                                          MD5:30573ACFC9586271A3F800A10C284479
                                                                                                                                                                                                          SHA1:9CC1A1329258379698A04C33DC5D62E9CE8E06FD
                                                                                                                                                                                                          SHA-256:30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
                                                                                                                                                                                                          SHA-512:4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

                                                                                                                                                                                                          C:\Program Files\Mozilla Firefox\defaults\pref\is-RKUSS.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):103
                                                                                                                                                                                                          Entropy (8bit):4.493835447768373
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
                                                                                                                                                                                                          MD5:9556062A739F56D168C1581A11192A17
                                                                                                                                                                                                          SHA1:81EE37E3990A004B9F50CBE99D512A5A5247AA90
                                                                                                                                                                                                          SHA-256:D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
                                                                                                                                                                                                          SHA-512:57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                                          C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):90
                                                                                                                                                                                                          Entropy (8bit):4.4385634049235
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
                                                                                                                                                                                                          MD5:30573ACFC9586271A3F800A10C284479
                                                                                                                                                                                                          SHA1:9CC1A1329258379698A04C33DC5D62E9CE8E06FD
                                                                                                                                                                                                          SHA-256:30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
                                                                                                                                                                                                          SHA-512:4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

                                                                                                                                                                                                          C:\Program Files\Mozilla Firefox\is-EF230.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):56
                                                                                                                                                                                                          Entropy (8bit):4.503434386188784
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
                                                                                                                                                                                                          MD5:E40A3D559E4B85251943E071CD036D90
                                                                                                                                                                                                          SHA1:10FC58DF075108C912589F7954244A807776A0FB
                                                                                                                                                                                                          SHA-256:E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
                                                                                                                                                                                                          SHA-512:07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview://..lockPref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                                          C:\Program Files\Mozilla Firefox\umbrella.cfg (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):56
                                                                                                                                                                                                          Entropy (8bit):4.503434386188784
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
                                                                                                                                                                                                          MD5:E40A3D559E4B85251943E071CD036D90
                                                                                                                                                                                                          SHA1:10FC58DF075108C912589F7954244A807776A0FB
                                                                                                                                                                                                          SHA-256:E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
                                                                                                                                                                                                          SHA-512:07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview://..lockPref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                                          C:\ProgramData\DAProfile.bak

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):37
                                                                                                                                                                                                          Entropy (8bit):4.134468568039293
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:sFz5YHXdXLVdKIxbn:sFtqXdeabn
                                                                                                                                                                                                          MD5:5D360F55BB6F14F8C22AE918F14C93C1
                                                                                                                                                                                                          SHA1:C94497156A4D526879297EA60055932E4B4CA068
                                                                                                                                                                                                          SHA-256:E91EB39328DB1C57932A1121750653E10F149BB200379FD53A0BCA44738A5843
                                                                                                                                                                                                          SHA-512:1A96A46817204DE317BBF0A53FBB13CA7710AA54A50BD73C508450E51E6BF7904BD3EA7FEC58C9771C03E007C2E680D81B59D2231A7756774A6CEC2601879A5C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<PROFILE VERSION="2.0.2.0"></PROFILE>

                                                                                                                                                                                                          C:\ProgramData\is-0JPJP.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):37
                                                                                                                                                                                                          Entropy (8bit):4.134468568039293
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:sFz5YHXdXLVdKIxbn:sFtqXdeabn
                                                                                                                                                                                                          MD5:5D360F55BB6F14F8C22AE918F14C93C1
                                                                                                                                                                                                          SHA1:C94497156A4D526879297EA60055932E4B4CA068
                                                                                                                                                                                                          SHA-256:E91EB39328DB1C57932A1121750653E10F149BB200379FD53A0BCA44738A5843
                                                                                                                                                                                                          SHA-512:1A96A46817204DE317BBF0A53FBB13CA7710AA54A50BD73C508450E51E6BF7904BD3EA7FEC58C9771C03E007C2E680D81B59D2231A7756774A6CEC2601879A5C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<PROFILE VERSION="2.0.2.0"></PROFILE>

                                                                                                                                                                                                          C:\ProgramData\is-83USB.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):109
                                                                                                                                                                                                          Entropy (8bit):4.915620880471987
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:sFz5YHXdXLVd1km9sOxJgk+dthkd22fYHRNKbZxbn:sFtqXdyDMHACd22fqRYbTbn
                                                                                                                                                                                                          MD5:5353EA0F06B3F8D93C980C5D3439F5F8
                                                                                                                                                                                                          SHA1:DA54B24834E62E65B2CDA77FBE99F83072884593
                                                                                                                                                                                                          SHA-256:19E37D253BDC5D6C80B2FC165F185E26836A2200558D005454E7AF9B6F97D603
                                                                                                                                                                                                          SHA-512:3299D4052B8B6F21DDB799BF0F7555182A2C15058459B01A93EBF0A29F451F1092990B7CBE0DDBDD408A4C039AC2DFF134366B4EFD75ECD820CD96837869913E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<PROFILE VERSION="2.0.2.0"><PACKAGE GUID="47A254C1-76A4-4D9D-9E6B-D56B07E276B8" VERSION="4.0.4.0"/></PROFILE>

                                                                                                                                                                                                          C:\ProgramData\{52B90368-A12C-4248-94E0-0AE200F6C536}

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):37
                                                                                                                                                                                                          Entropy (8bit):4.134468568039293
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:sFz5YHXdXLVdKIxbn:sFtqXdeabn
                                                                                                                                                                                                          MD5:5D360F55BB6F14F8C22AE918F14C93C1
                                                                                                                                                                                                          SHA1:C94497156A4D526879297EA60055932E4B4CA068
                                                                                                                                                                                                          SHA-256:E91EB39328DB1C57932A1121750653E10F149BB200379FD53A0BCA44738A5843
                                                                                                                                                                                                          SHA-512:1A96A46817204DE317BBF0A53FBB13CA7710AA54A50BD73C508450E51E6BF7904BD3EA7FEC58C9771C03E007C2E680D81B59D2231A7756774A6CEC2601879A5C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:<PROFILE VERSION="2.0.2.0"></PROFILE>

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\HFI1476.tmp.html

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\8ae2907c08a3ced0022a08\Setup.exe
                                                                                                                                                                                                          File Type:HTML document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):16118
                                                                                                                                                                                                          Entropy (8bit):3.6434775915277604
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjT:fdsOT01KcBUFJFEWUxFzvHH
                                                                                                                                                                                                          MD5:CD131D41791A543CC6F6ED1EA5BD257C
                                                                                                                                                                                                          SHA1:F42A2708A0B42A13530D26515274D1FCDBFE8490
                                                                                                                                                                                                          SHA-256:E139AF8858FE90127095AC1C4685BCD849437EF0DF7C416033554703F5D864BB
                                                                                                                                                                                                          SHA-512:A6EE9AF8F8C2C7ACD58DD3C42B8D70C55202B382FFC5A93772AF7BF7D7740C1162BB6D38A4307B1802294A18EB52032D410E128072AF7D4F9D54F415BE020C9A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\HFI20AE.tmp.html

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\8ae2907c08a3ced0022a08\Setup.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):7154
                                                                                                                                                                                                          Entropy (8bit):3.6253409285296856
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:35mfWK03KGP859K45VT+5VeJV6Pq5VSL45f+588K03KGh/lM85X29bZf5H5kP9lf:uKoC7L6QROR4hbzRVRruu++lIzun
                                                                                                                                                                                                          MD5:9A0B819316A7540BA3B31DFD53C5D96D
                                                                                                                                                                                                          SHA1:CD5B7772789257BDD53EDA0C5949BF38EA4725B6
                                                                                                                                                                                                          SHA-256:63ED425E9F9FF7B5660ACB715FED082EC19175988C8AB537266F416ECB6E03C3
                                                                                                                                                                                                          SHA-512:967DCACD882425D2539E97A1B8C633503B72070763D11A4DBA9C5E1A6C810FFF979951EDD091E3D63B925794CB30ADF5653463F17C91B5FCC94761ABF16497D1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.1.0./.3.1./.2.0.2.4.,. .1.4.:.2.3.:.5.].<./.s.p.a.n.>.c.a.l.l.i.n.g. .P.e.r.f.o.r.m.A.c.t.i.o.n. .o.n. .a.n. .i.n.s.t.a.l.l.i.n.g. .p.e.r.f.o.r.m.e.r.<.B.R.>.<./.s.p.a.n.>.....<.s.p.a.n. .c.l.a.s.s.=.".a.c.t.".>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.H.d.r.".>.<.a. .h.r.e.f.=.".#.". .o.n.c.l.i.c.k.=.".t.o.g.g.l.e.S.e.c.t.i.o.n.(.).;. .e.v.e.n.t...r.e.t.u.r.n.V.a.l.u.e.=.f.a.l.s.e.;.".>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.1.0./.3.1./.2.0.2.4.,. .1.4.:.2.3.:.5.]. .<./.s.p.a.n.>.A.c.t.i.o.n.:. .P.e.r.f.o.r.m.i.n.g. .a.c.t.i.o.n.s. .o.n. .a.l.l. .I.t.e.m.s.<./.s.p.a.n.>.<.s.p.a.n. .c.l.a.s.s.=.".s.e.c.t.i.o.n.E.x.p.2.".>.......<.B.R.>.<./.s.p.a.n.>.<./.a.>.<./.d.i.v.>.<.d.i.v. .c.l.a.s.s.=.".s.e.c.t.i.o.n.".>.....<.s.p.a.n. .c.l.a.s.s.=.".v.b.e.".>.<.s.p.a.n. .c.l.a.s.s.=.".t.".>.[.1.0./.3.1./.2.0.2.4.,. .1.4.:.2.3.:.5.].<./.s.p.a.n.>.W.a.i.t. .f.o.r. .I.t.e.m. .(.v.c._.

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20241031_142304785-MSI_vc_red.msi.txt

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):285316
                                                                                                                                                                                                          Entropy (8bit):3.816513248051659
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:jej2FmujQQQQQQQQQQQQQQQQQAk/lgyHz1+jMfYD3TQi7j:6jyd
                                                                                                                                                                                                          MD5:486C04B437750392B992F09DAD87ABB4
                                                                                                                                                                                                          SHA1:426E2E27AF4F6820A1FEC3F1651EEA734630B59C
                                                                                                                                                                                                          SHA-256:445B8680FA81E51ADA9F83EF04EAB33A7553ED8F9492CD86752E5FA740F6B326
                                                                                                                                                                                                          SHA-512:5C34154E30303004D4CB2DC003467CFD44A959B45A3B153B96E1AB65D3ADF584B4FDBFAB3FD505619910972672693832EC4D62037100F335A0DB737E74A4E7B4
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .3.1./.1.0./.2.0.2.4. . .1.4.:.2.3.:.0.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .c.:.\.8.a.e.2.9.0.7.c.0.8.a.3.c.e.d.0.0.2.2.a.0.8.\.S.e.t.u.p...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.9.4.:.D.4.). .[.1.4.:.2.3.:.0.7.:.0.6.6.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.9.4.:.D.4.). .[.1.4.:.2.3.:.0.7.:.0.6.6.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.9.4.:.D.4.). .[.1.4.:.2.3.:.0.7.:.0.6.6.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .c.:.\.8.a.e.2.9.0.7.c.0.8.a.3.c.e.d.0.0.2.2.a.0.8.\.v.c._.r.e.d...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.9.4.:.D.4.). .[.1.4.:.2.3.:.0.7.:.0.8.

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20241031_142304785.html

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\8ae2907c08a3ced0022a08\Setup.exe
                                                                                                                                                                                                          File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (357), with CRLF line terminators
                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                          Size (bytes):74522
                                                                                                                                                                                                          Entropy (8bit):3.676262969815548
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:fdsOT01KcBUFJFEWUxFzvHnJE2Cy6ZxQEAlx6vbSwiT:fdsOTLyUFJFEWUxFzvHCQLr6vhiT
                                                                                                                                                                                                          MD5:71BDB4A5FFE59F9B3D643B15DB7D1EB9
                                                                                                                                                                                                          SHA1:0CECF0C437EB9B6A43943A63F317B9D648F3A8FA
                                                                                                                                                                                                          SHA-256:511FB76EB58CFFF22DF1199CFD09BA1A79338E6D12E8080882244DDC3C8346EF
                                                                                                                                                                                                          SHA-512:CB8F38F60E9F3F297F0C3079400642E88A09AFFBEB749DE606B5F4C202227E7D7D6F15F736E05B86177DD125432DFEEE1FDC411A7E16F0992551AE1293B7C68D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Setup_20241031_142301832.html

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\8ae2907c08a3ced0022a08\Setup.exe
                                                                                                                                                                                                          File Type:HTML document, Unicode text, UTF-16, little-endian text, with very long lines (323), with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):29442
                                                                                                                                                                                                          Entropy (8bit):3.7059288077922883
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:7Ddx3KOTczFQ21Kp4n5DTx1iDecPeLHLHQFJFjZWblWUxFzJzcKHjrhimDGv2Cy7:fdsOT01KcBUFJFEWUxFzvHnJE2Cy6e
                                                                                                                                                                                                          MD5:535DC5553A05FFC89DD46E1CE770C456
                                                                                                                                                                                                          SHA1:2E4974DCFC15600B67384298FC92F09D323CA8A1
                                                                                                                                                                                                          SHA-256:DD91B2DA35EA37661509B8C1DFDE196E18A0E769E678CF8316AE5404257A9205
                                                                                                                                                                                                          SHA-512:C555129FA82CF744CA7FC909CF52F9115CD8285073A66A516EEF216B8F64124539C7907D5C236E252CEA89554B2F90DE82BEBA9D0E05F079BDA4A5AF27B65F37
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C././.D.T.D. .X.H.T.M.L. .1...1././.E.N.". .".h.t.t.p.:././.w.w.w...w.3...o.r.g./.T.R./.x.h.t.m.l.1.1./.D.T.D./.x.h.t.m.l.1.1...d.t.d.".>.....<.!.-.-. .T.h.e. .E.x.t.e.n.d.e.d. .C.o.p.y.r.i.g.h.t./.T.r.a.d.e.m.a.r.k. .L.a.n.g.u.a.g.e. .R.e.s.i.d.e.s. .A.t.:. .h.t.t.p.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.i.n.f.o./.c.p.y.r.t.I.n.f.r.g...h.t.m. .-.-.>.....<.h.t.m.l. .x.m.l.n.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.1.9.9.9./.x.h.t.m.l.".>.....<.h.e.a.d.>.......<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.".C.o.n.t.e.n.t.-.T.y.p.e.". .c.o.n.t.e.n.t.=.".t.e.x.t./.h.t.m.l.;. .c.h.a.r.s.e.t.=.u.t.f.-.1.6."./.>.<.b.a.s.e. .t.a.r.g.e.t.=."._.b.l.a.n.k."./.>.......<.s.t.y.l.e. .t.y.p.e.=.".t.e.x.t./.c.s.s.".>.........h.t.m.l.{.o.v.e.r.f.l.o.w.:.s.c.r.o.l.l.}.........b.o.d.y.{.f.o.n.t.-.s.i.z.e.:.1.0.p.t.;.f.o.n.t.-.f.a.m.i.l.y.:.V.e.r.d.a.n.a.;.c.o.l.o.r.:.#.0.0.0.0.0.0.;.b.a.c.k.g.r.o.u.n.d.-.c.o.l.o.r.:.#.F.0.F.0.F.0.}...........h.e.a.d.e.r.

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3131328
                                                                                                                                                                                                          Entropy (8bit):6.377177227761894
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:FEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF33383:J92bz2Eb6pd7B6bAGx7b333Y
                                                                                                                                                                                                          MD5:895924B96B8B7BC52781E921E0AB93B8
                                                                                                                                                                                                          SHA1:3574ED0904E9386F602E181592F3DCF951A4F36B
                                                                                                                                                                                                          SHA-256:8CAC9F851CF868D6764058F43CC63DADF6CF7964D12E45367156AC4F7626AD55
                                                                                                                                                                                                          SHA-512:C8FF044AACB9E21BD211F0946FCF78222543CFBA0266D026831D35ADB21109A84132485A91BA9E0333EC2856F82D22EDDE1BE7251D2EA5FEA535709E85CD43CF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0.....A.0...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6482264
                                                                                                                                                                                                          Entropy (8bit):7.998880076329747
                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                          SSDEEP:196608:8Q1ATfurodNWgauwGyktkN70QBzQHpnJnPVNLyLhXv:8kAz4wjVkN70QaHpnJN5ef
                                                                                                                                                                                                          MD5:DBC54A8343ACC3271098DD7F2E5B7345
                                                                                                                                                                                                          SHA1:42E9094219FD430D375920E97ED8932A7E5D504F
                                                                                                                                                                                                          SHA-256:959572470115C28195F4D9FBD84627F610DB4DABA7AC2DD3091D6F4A899EF46E
                                                                                                                                                                                                          SHA-512:CB4FFAD566A1F7D0705FB0C0E6B8CF22513A1019A224F61200C277CB4F267EDD048AC43BD57B183FAC8678663CCA95C663D07447658112386DD069CABFCC5B9E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\....................@..........................p........c...@......@..............................|.... ...J............b.............................................................................................CODE............................... ..`DATA....P...........................@...BSS......................................idata..|...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....J... ...L..................@..P.............P......................@..P........................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6144
                                                                                                                                                                                                          Entropy (8bit):4.720366600008286
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\is-5LMKM.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):5073240
                                                                                                                                                                                                          Entropy (8bit):7.998813387067771
                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                          SSDEEP:98304:RuLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0z:I7wq1W6HqULS8djZDTaNNeCKVP5ORsg0
                                                                                                                                                                                                          MD5:B88228D5FEF4B6DC019D69D4471F23EC
                                                                                                                                                                                                          SHA1:372D9C1670343D3FB252209BA210D4DC4D67D358
                                                                                                                                                                                                          SHA-256:8162B2D665CA52884507EDE19549E99939CE4EA4A638C537FA653539819138C8
                                                                                                                                                                                                          SHA-512:CDD218D211A687DDE519719553748F3FB36D4AC618670986A6DADB4C45B34A9C6262BA7BAB243A242F91D867B041721F22330170A74D4D0B2C354AEC999DBFF8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................hzM.......... ...................................................RM.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............L.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\is-84VHQ.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6585704
                                                                                                                                                                                                          Entropy (8bit):7.998699715615937
                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                          SSDEEP:196608:nWs1RZwZA1n0tJ/uNDAKyLogRkDGzamPxT2XxUp8z2/:WMZwZAp0fmdAKyLogI9AI/y
                                                                                                                                                                                                          MD5:8DFECDDDB51D01D40B8FC278AE3C555C
                                                                                                                                                                                                          SHA1:FF0557847CB3A78CFDA37A53B1A15A33D0199388
                                                                                                                                                                                                          SHA-256:6C0E7F45649D8594AB3260B2498C292D3EE6F3E2346735A4AEB5BBEEF2C7CAA6
                                                                                                                                                                                                          SHA-512:33FADF253F9CEECE379EFF30ABFB0F3B81E815F135A5854BD23044B3C61111C515B29F9D0BD645004ECF31DD502D565F1AC36F4BF2AC45C2DDC51EEABE54313B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\....................@..........................p......^.e...@......@..............................|.... ...J...........`d.............................................................................................CODE............................... ..`DATA....P...........................@...BSS......................................idata..|...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....J... ...L..................@..P.............P......................@..P........................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\is-UG9QC.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6482264
                                                                                                                                                                                                          Entropy (8bit):7.998880076329747
                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                          SSDEEP:196608:8Q1ATfurodNWgauwGyktkN70QBzQHpnJnPVNLyLhXv:8kAz4wjVkN70QaHpnJN5ef
                                                                                                                                                                                                          MD5:DBC54A8343ACC3271098DD7F2E5B7345
                                                                                                                                                                                                          SHA1:42E9094219FD430D375920E97ED8932A7E5D504F
                                                                                                                                                                                                          SHA-256:959572470115C28195F4D9FBD84627F610DB4DABA7AC2DD3091D6F4A899EF46E
                                                                                                                                                                                                          SHA-512:CB4FFAD566A1F7D0705FB0C0E6B8CF22513A1019A224F61200C277CB4F267EDD048AC43BD57B183FAC8678663CCA95C663D07447658112386DD069CABFCC5B9E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\....................@..........................p........c...@......@..............................|.... ...J............b.............................................................................................CODE............................... ..`DATA....P...........................@...BSS......................................idata..|...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....J... ...L..................@..P.............P......................@..P........................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):15446
                                                                                                                                                                                                          Entropy (8bit):3.415917339563178
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:VKDocWGurKEfLrEIHYAZrKQacmM+uhU9Vjbr/aRLzEbFz/GpIC+eVRorQ4NkAYaD:kDochurKEfLrEIHYAZrKQacmM+uhU9Vx
                                                                                                                                                                                                          MD5:995334794FDE38EAFDD8CC4515BB8CEB
                                                                                                                                                                                                          SHA1:1F009D0A2EE4676FAA63E125C922E13E31D5A58C
                                                                                                                                                                                                          SHA-256:CB995D3CEE885470C762D80971ADB1BCE59A17B6C455190C057150328C0E4C7F
                                                                                                                                                                                                          SHA-512:017760A7B9F7E23F048024DFFE864392E02885493FDB335BECEFA7CBA8B38C79831CC076200DBAE1045E4BDA02E757A507901A7A23DAB9CE4EA95FA6C83488A8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:..Image Name PID Session Name Session# Mem Usage..========================= ======== ================ =========== ============..System Idle Process 0 Services 0 8 K..System 4 Services 0 176 K..Registry 92 Services 0 80'092 K..smss.exe 324 Services 0 1'236 K..csrss.exe 408 Services 0 5'344 K..wininit.exe 484 Services 0 7'256 K..csrss.exe 492 Console 1 5'972 K..winlogon.exe 552 Console 1 16'700 K..services.exe 620 Services 0 12'484 K..lsass.exe 628 Services 0 19'976 K..svchost.exe 752 Services

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6585704
                                                                                                                                                                                                          Entropy (8bit):7.998699715615937
                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                          SSDEEP:196608:nWs1RZwZA1n0tJ/uNDAKyLogRkDGzamPxT2XxUp8z2/:WMZwZAp0fmdAKyLogI9AI/y
                                                                                                                                                                                                          MD5:8DFECDDDB51D01D40B8FC278AE3C555C
                                                                                                                                                                                                          SHA1:FF0557847CB3A78CFDA37A53B1A15A33D0199388
                                                                                                                                                                                                          SHA-256:6C0E7F45649D8594AB3260B2498C292D3EE6F3E2346735A4AEB5BBEEF2C7CAA6
                                                                                                                                                                                                          SHA-512:33FADF253F9CEECE379EFF30ABFB0F3B81E815F135A5854BD23044B3C61111C515B29F9D0BD645004ECF31DD502D565F1AC36F4BF2AC45C2DDC51EEABE54313B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................\....................@..........................p......^.e...@......@..............................|.... ...J...........`d.............................................................................................CODE............................... ..`DATA....P...........................@...BSS......................................idata..|...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....J... ...L..................@..P.............P......................@..P........................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):5073240
                                                                                                                                                                                                          Entropy (8bit):7.998813387067771
                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                          SSDEEP:98304:RuLgywiN1ah6HcG0UJrN7SDgndrHZDMeaNNjt0CKKBgY2r71pZ/APaOR72HgQo0z:I7wq1W6HqULS8djZDTaNNeCKVP5ORsg0
                                                                                                                                                                                                          MD5:B88228D5FEF4B6DC019D69D4471F23EC
                                                                                                                                                                                                          SHA1:372D9C1670343D3FB252209BA210D4DC4D67D358
                                                                                                                                                                                                          SHA-256:8162B2D665CA52884507EDE19549E99939CE4EA4A638C537FA653539819138C8
                                                                                                                                                                                                          SHA-512:CDD218D211A687DDE519719553748F3FB36D4AC618670986A6DADB4C45B34A9C6262BA7BAB243A242F91D867B041721F22330170A74D4D0B2C354AEC999DBFF8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#pA.B...B...B..gM...B...B...B..gMC..B..gMA..B..gM@..B..gMD..B..Rich.B..........................PE..L....jkG.............................c... ........... ..............................hzM.......... ...................................................RM.X........... "...............................&..@............ ...............................text........ ...................... ..`.data...............................@....rsrc.............L.................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):721920
                                                                                                                                                                                                          Entropy (8bit):6.497907284408831
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:psMLIMoi3rPR37dzHRA6nX0D9OKWbO7SERb5rNUK1bce0zyx9z4:qMcMoi3rPR37dzHRA6G7WbuSEmK50zyo
                                                                                                                                                                                                          MD5:62B4483DC79B5846006C0C644B51FE6C
                                                                                                                                                                                                          SHA1:30DCCA8EBCB80128FFF8FDCA10AF6ED47C3B240C
                                                                                                                                                                                                          SHA-256:91378CB7224E7DF682C155128674E5725201F71F946DC798815830FD298D22D5
                                                                                                                                                                                                          SHA-512:2A279A079B64B9A6297F3A3C079D6FCC1B5F371DC0D043AE6E2AF8EDDDE145AC8B890B0212579D3DEE0D8C6B28A210C30F5E5F2CFA2919DE94A28AC20CB6745C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................h....................@.......................................@......@...............................&.......+...................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc....+.......,..................@..P.....................r..............@..P........................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3131328
                                                                                                                                                                                                          Entropy (8bit):6.377181933518846
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:aEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF3338L:q92bz2Eb6pd7B6bAGx7b333U
                                                                                                                                                                                                          MD5:C2B12368174C2843B050C1000CD7A7F3
                                                                                                                                                                                                          SHA1:AED269194C487644257C41BDDCCE6488F33E73CA
                                                                                                                                                                                                          SHA-256:7F4B3E922601C8468494EE42E6D0A999A17AA5895547EEBC9DF099176FD87812
                                                                                                                                                                                                          SHA-512:4363ECE21C56BD2237C8A0C2354368C03FA6170E146A3C1893D069DABA61DA4BA56376981F02E8FF2B700A51D3DA7B1C68B9321908A388669B4D3BACCDF6FB24
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0......./...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-DIRJS.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6144
                                                                                                                                                                                                          Entropy (8bit):4.720366600008286
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-NBB3F.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6144
                                                                                                                                                                                                          Entropy (8bit):4.720366600008286
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):3131344
                                                                                                                                                                                                          Entropy (8bit):6.377169247154071
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:49152:8EA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTVF3338u:892bz2Eb6pd7B6bAGx7b333J
                                                                                                                                                                                                          MD5:9ECEDBF75204AF13FD44FEE9708AD1A1
                                                                                                                                                                                                          SHA1:3228B4C4281EAD90E8CBEAE44944A695484809BE
                                                                                                                                                                                                          SHA-256:91918F711F94703DB4ECFD02582DB2856B718BDEA6B31410D92C002F54806896
                                                                                                                                                                                                          SHA-512:3CF1DC3B96F217D5C1ED8109041CA8BA2D4F1FB07EEA86CF5208F2905F598FB537DDBEF21A5C67D3857A0EF747F8E6DE950C77E8D62333F66024C58055F018BB
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,..^......`F,......P,...@...........................0.....I.0...@......@....................-......p-.29....-.............../..+....................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):21344240
                                                                                                                                                                                                          Entropy (8bit):7.9920082797846455
                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                          SSDEEP:393216:zDKiNwxu9WmQpO4nkCRhllVNadBQHL7knIjajuzM3Cm8OScfeaNCL:3Nwxm4nxl26eeRzaNCL
                                                                                                                                                                                                          MD5:FAC28B29942B43B885400CCBCBC47C06
                                                                                                                                                                                                          SHA1:925740916D539D1F8056FC1967F128350DDC8A4C
                                                                                                                                                                                                          SHA-256:DACB2CB40AC4A01D1019D5C785465593034CD054A44948F4275901349B256F59
                                                                                                                                                                                                          SHA-512:5508ADBFD6A6C8028EB5A7E047B901330A42291F414BD044BEDCCBC01E3C447CC73404417A94FDFC5BF037A258AA0062C553F531C450EA6256B0E9AA527AEEC8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@.................................4zF...@......@...................@....... ..6....p...e..........0.E..+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_RDM_Support_4.0.3.1.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):11928472
                                                                                                                                                                                                          Entropy (8bit):7.97829322027277
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:196608:MbQGEYGXa/YhG9vzXa1OJVy9K8Z/8Y+BoNFpxZobTlOSQ3+LZV7o1/Nlz7W4vJQ:MQGEYGXUYhG9jqOJg9c2N4XlzZVM1/NO
                                                                                                                                                                                                          MD5:CFC2E44506ED4779B9A86D49965B2025
                                                                                                                                                                                                          SHA1:2510EDCD610C02BEB3C48ACC3CBB39268D73410B
                                                                                                                                                                                                          SHA-256:7022B1000A335E1DAF89DB12A3E06067E3E21163BDE4CF4D5E7893B539BEC7F9
                                                                                                                                                                                                          SHA-512:C5672AC0092B46576158F0AD58C8D7A894D114E14B988A1AC3D0703C4DE0F24FB098F3E96B12EA6DDEC7148BCEC0546FBD211B71D33683D60CC882F2C55B0BA7
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@.......................................@......@...................@....... ..6....p...e..............+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):8080584
                                                                                                                                                                                                          Entropy (8bit):7.958496147012039
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:196608:rQ1ATfurodNWgauwGyktkN70QBzQHpnJnP31pthdiATb7h:rkAz4wjVkN70QaHpnJP/tnt
                                                                                                                                                                                                          MD5:A1234F8D3A7122BE13679CFA0D9EB3E6
                                                                                                                                                                                                          SHA1:BE122B7E2975465F9E1372609D65B8400E7DB25C
                                                                                                                                                                                                          SHA-256:AB1CA7E6F5ECE61E914482A89E21EE633C3FFD57BD76358DCE41AA1854477A1B
                                                                                                                                                                                                          SHA-512:14A0C568074A762D8DD5968B4A18331C02772D48E44B4179134BA8F489F54221826F63A6E1BFECEC709745B42C37B4181412046DFF528FCC72AE5437F061B65E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@..................................>|...@......@...................@....... ..6....p...e........... {..+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6144
                                                                                                                                                                                                          Entropy (8bit):4.720366600008286
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\is-83PD6.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):8080584
                                                                                                                                                                                                          Entropy (8bit):7.958496147012039
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:196608:rQ1ATfurodNWgauwGyktkN70QBzQHpnJnP31pthdiATb7h:rkAz4wjVkN70QaHpnJP/tnt
                                                                                                                                                                                                          MD5:A1234F8D3A7122BE13679CFA0D9EB3E6
                                                                                                                                                                                                          SHA1:BE122B7E2975465F9E1372609D65B8400E7DB25C
                                                                                                                                                                                                          SHA-256:AB1CA7E6F5ECE61E914482A89E21EE633C3FFD57BD76358DCE41AA1854477A1B
                                                                                                                                                                                                          SHA-512:14A0C568074A762D8DD5968B4A18331C02772D48E44B4179134BA8F489F54221826F63A6E1BFECEC709745B42C37B4181412046DFF528FCC72AE5437F061B65E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@..................................>|...@......@...................@....... ..6....p...e........... {..+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\is-E0EB0.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):21344240
                                                                                                                                                                                                          Entropy (8bit):7.9920082797846455
                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                          SSDEEP:393216:zDKiNwxu9WmQpO4nkCRhllVNadBQHL7knIjajuzM3Cm8OScfeaNCL:3Nwxm4nxl26eeRzaNCL
                                                                                                                                                                                                          MD5:FAC28B29942B43B885400CCBCBC47C06
                                                                                                                                                                                                          SHA1:925740916D539D1F8056FC1967F128350DDC8A4C
                                                                                                                                                                                                          SHA-256:DACB2CB40AC4A01D1019D5C785465593034CD054A44948F4275901349B256F59
                                                                                                                                                                                                          SHA-512:5508ADBFD6A6C8028EB5A7E047B901330A42291F414BD044BEDCCBC01E3C447CC73404417A94FDFC5BF037A258AA0062C553F531C450EA6256B0E9AA527AEEC8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@.................................4zF...@......@...................@....... ..6....p...e..........0.E..+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\is-VP3PB.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):11928472
                                                                                                                                                                                                          Entropy (8bit):7.97829322027277
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:196608:MbQGEYGXa/YhG9vzXa1OJVy9K8Z/8Y+BoNFpxZobTlOSQ3+LZV7o1/Nlz7W4vJQ:MQGEYGXUYhG9jqOJg9c2N4XlzZVM1/NO
                                                                                                                                                                                                          MD5:CFC2E44506ED4779B9A86D49965B2025
                                                                                                                                                                                                          SHA1:2510EDCD610C02BEB3C48ACC3CBB39268D73410B
                                                                                                                                                                                                          SHA-256:7022B1000A335E1DAF89DB12A3E06067E3E21163BDE4CF4D5E7893B539BEC7F9
                                                                                                                                                                                                          SHA-512:C5672AC0092B46576158F0AD58C8D7A894D114E14B988A1AC3D0703C4DE0F24FB098F3E96B12EA6DDEC7148BCEC0546FBD211B71D33683D60CC882F2C55B0BA7
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...........^.......p....@.......................................@......@...................@....... ..6....p...e..............+...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....e...p...f..................@..@....................................@..@........................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):729280
                                                                                                                                                                                                          Entropy (8bit):6.514405609878223
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:LsMLIMoi3rPR37dzHRA6nX0D9OKWbO7SERb5rNUK1bce0zyx9zW:IMcMoi3rPR37dzHRA6G7WbuSEmK50zym
                                                                                                                                                                                                          MD5:3E828ACD7AFDC653C0E0CA4F00A876C6
                                                                                                                                                                                                          SHA1:D21A0CD0F9A39279C2010A952E1249F021C23B4E
                                                                                                                                                                                                          SHA-256:08648EF949DF303A79FBA0EC8168CB1829EBBF5BFADFB199BC21EB6ECEBC93AE
                                                                                                                                                                                                          SHA-512:1FD64C0A1195515E1C4756109C5559A1BD5DB3AE6CCD2367CBC00E185E45CAE79A99EA4AE7D84FA3BD42E9C2710079786E99FCE4D462EB0C839C8DB69488357B
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................h....................@.......................................@......@...............................&.......+...................@...............................0......................................................CODE............................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls......... ...........................rdata.......0......................@..P.reloc..P....@......................@..P.rsrc....+.......,..................@..P.....................r..............@..P........................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\AddCert.bat (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):239
                                                                                                                                                                                                          Entropy (8bit):5.244078670555102
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:rFHGxQ61kH7HE9bwe9hc1axKsyyL4eJ/nleB/H7HE9bkgjqY1axKs5v:r026ebH279hc14KsyyL/J/nAB/bH271e
                                                                                                                                                                                                          MD5:2F75CB7D681782F34E407A53FB42DF05
                                                                                                                                                                                                          SHA1:4371FB4F570BBCE02FFCF374D7F093B583E653B0
                                                                                                                                                                                                          SHA-256:203862ED6BA60B1BBB22C5777ED47E69FE75EF51F5C497B3D832BBF4DD736780
                                                                                                                                                                                                          SHA-512:DFC70F8C5322385B67C6C19B4F9D2D21BD024E3C6CE62384CC283DDA0D03A13DB691229D76B302FAD04D518928F71175ADCFFCFD4FED0B2A93FFB417BD90B1B8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:FOR /F "tokens=*" %%A IN ('dir /B "%APPDATA%\Mozilla\Firefox\Profiles\*.default*"') DO set FIREFOX_PROFILE_DIR=%%A..%2\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "%APPDATA%\Mozilla\Firefox\Profiles\%FIREFOX_PROFILE_DIR%\." -i %1..

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\RDM.ico (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):99678
                                                                                                                                                                                                          Entropy (8bit):2.399880160860077
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:ckeXhftI9DRRRQwXF6jI2PmdFUMUaaS8FPm0AjaP:ZexftsDRRRPSP
                                                                                                                                                                                                          MD5:C6B1F4998CA0242B1EB448C9694EFF20
                                                                                                                                                                                                          SHA1:D002E4878B16AFD33885553F3507BA2BC23E2179
                                                                                                                                                                                                          SHA-256:15C5C4D9FC4E4FCD10D130A558D4F89931340B40EB6FAECB0BCE1FB5CCCC1CAB
                                                                                                                                                                                                          SHA-512:902117AA14D95A3493D4DB341CE1DCBCF07D8ADA9DF8E4B29100C5FC7D8E732245D9512AE378C9BF2EAA2AEA9B371F089D0BCDD66B71B1EEF84D931874E8528A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............ .h...V... .... .........00.... ..%..f...@@.... .(B...;........ .(...6}..(....... ..... .....@...................................................................................................................................................................................................................................................................................................................................................uW....Y....wY..y[..uW..uW..wZ....n....uW.....}`........Y..f..uW....Y...x.uW....p.uW....H...=.uW....I.uW.....uW....O...Y..f..uW..}a..x[...f.....uW.........vX..wY..uW...._..k..}a....R..f..uW....C....y\..{^..uW.........vX..x[..uW...i......}a...i...f..uW...n$...\.vX...i..uW...u...m".vY....[.uW..uW........M.uW...f...w1..w1..w1...N.....w1..w1...@........w1..z6.........w1...D...........................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):59664
                                                                                                                                                                                                          Entropy (8bit):5.552981290836808
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:/RQvLjWiALqLkHbp7m8GYT3WXs39i4zv:/Vz2Lk71m8Ge3WXs1
                                                                                                                                                                                                          MD5:5D077A0CDD077C014EEDB768FEB249BA
                                                                                                                                                                                                          SHA1:EA2C62D69A1F6B9D643FE16319EC7632C9533B3F
                                                                                                                                                                                                          SHA-256:8A830C48C4D78159DD80F4DAD81C0BEBBF9314710026B1A2EF0FFDDDCB24B83D
                                                                                                                                                                                                          SHA-512:71BF48DCB6916A810F63710968894B431357AA694AA169067F567CC82B8E4EE732F581AFB85B256E5C5A9D15A8B7B5746FA6A8B4127B273FEB5B0E03E91B607A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;.}h.}h.}hh.nh.}h.|h..}h...h.}h.{h.}h.}h..}hRich.}h................PE..L....B.5.....................l............................................... ..........................................................0W..................................................................@........................................text............................... ..`.data...............................@....rsrc...0W.......X..................@..@.0248...c,.5C....[.5P....[.5]......5i...b,.5u...........MSVCRT.dll.ADVAPI32.dll.KERNEL32.dll.CRYPT32.dll.CRYPTUI.dll.USER32.dll.........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):103936
                                                                                                                                                                                                          Entropy (8bit):6.464020030097691
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:est2WKOxRTftkVeSl8w5d3wgtRgc7k8w:GWKOzTlkVzl8w8yRDA8w
                                                                                                                                                                                                          MD5:0C6B43C9602F4D5AC9DCF907103447C4
                                                                                                                                                                                                          SHA1:7A77C7AE99D400243845CCE0E0931F029A73F79A
                                                                                                                                                                                                          SHA-256:5950722034C8505DAA9B359127FEB707F16C37D2F69E79D16EE6D9EC37690478
                                                                                                                                                                                                          SHA-512:B21B34A5886A3058CE26A6A5A6EAD3B1EBAE62354540492FB6508BE869E7D292B351C0913461B47C4CC0C6A73333AAD33CD9399BCB1F83C7DACFDB7F2EE1F7A9
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P..........................{......{......{.........6..{./....{......Rich...........................PE..L....A.O..........................................@.......................................@.................................Tq.......................................................................p..@...............h............................text...d........................... ..`.rdata..............................@..@.data................z..............@....reloc..D............|..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\firefox-windows-truststore.js (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):103
                                                                                                                                                                                                          Entropy (8bit):4.493835447768373
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
                                                                                                                                                                                                          MD5:9556062A739F56D168C1581A11192A17
                                                                                                                                                                                                          SHA1:81EE37E3990A004B9F50CBE99D512A5A5247AA90
                                                                                                                                                                                                          SHA-256:D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
                                                                                                                                                                                                          SHA-512:57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\freebl3.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):222208
                                                                                                                                                                                                          Entropy (8bit):6.697487951906348
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:ScTE2XtnPcWNo4eT4hs8LP71DRIUqqDL67PXGHrIrH:lTE2XtNrLP71Dyxqn6jI
                                                                                                                                                                                                          MD5:269BEB631B580C6D54DB45B5573B1DE5
                                                                                                                                                                                                          SHA1:64050C1159C2BCFC0E75DA407EF0098AD2DE17C8
                                                                                                                                                                                                          SHA-256:FFC7558A61A4E6546CF095BDEABEA19F05247A0DAA02DCA20EA3605E7FC62C77
                                                                                                                                                                                                          SHA-512:649CD40F3E02C2F2711F56AA21F39CCBDA9108143D4766A9728C9AD98F329D5F64F77090DF769C55B66AB48FB9AA4A380944EBE54F2C450F96CF76E5A6ADD31E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[x.5+.5+.5+..+.5+..+.5+..+.5+..+.5+.4+..5+..+.5+..+.5+..+.5+..+.5+Rich.5+................PE..L....A.O...........!.....\...J.......f.......p............................................@..........................U..O...,M..x...............................,...................................hL..@............p..x............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....F...`.......F..............@....rsrc................H..............@..@.reloc..x............L..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-02PTS.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):97792
                                                                                                                                                                                                          Entropy (8bit):6.240650542976671
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:xtTRGG7+CF7k9QTPHkis9rGDE9tJ7kdsolb5XpIKz1TpNs6IRcgAGEFDGSs1f8b6:xGG6CF7k9QbHkCE9tJ7kdsW5Xh5s6IRV
                                                                                                                                                                                                          MD5:A5C670EDF4411BF7F132F4280026137B
                                                                                                                                                                                                          SHA1:C0E3CBDDE7D3CEBF41A193EECA96A11CE2B6DA58
                                                                                                                                                                                                          SHA-256:ABA2732C7A016730E94E645DD04E8FAFCC173FC2E5E2AAC01A1C0C66EAD1983E
                                                                                                                                                                                                          SHA-512:ACFCDE89A968D81363AE1CD599A6A362B047AE207722FEA8541577AC609BC5FEFB2231ED946E13F0B4B3BCD56B947C13837C1B9E360D521EC7D580BEFCBB0F46
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.?...4.k.Y...7.k.Y...4.k.Y...;.k.6.j..k.Y.....k.Y..7.k.Y..7.k.Y...7.k.Rich6.k.........................PE..L....A.O...........!.........j...............0............................................@.........................Pj..v...\N.......................................................................M..@............0...............................text............................... ..`.rdata...S...0...T..................@..@.data...h............l..............@....rsrc................n..............@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-26IBC.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):93696
                                                                                                                                                                                                          Entropy (8bit):6.44977499578729
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:W3Hq5zbjpPQ4Y0epuuwCbDz5xAFKL8kycL7:gHQxPQfGuz5uFKL8kyu7
                                                                                                                                                                                                          MD5:C26E940B474728E728CAFE5912BA418A
                                                                                                                                                                                                          SHA1:7256E378A419F8D87DE71835E6AD12FAADAAAF73
                                                                                                                                                                                                          SHA-256:1AF1AC51A92B36DE8D85D1F572369815404912908C3A489A6CD7CA2350C2A93D
                                                                                                                                                                                                          SHA-512:BD8673FACD416C8F2EB9A45C4DEEF50E53D0BC41E6B3941FC20CDA8E2D88267205526DADB44BD89869BD333BF7D6F8DB589C95997E1F3322F7A66A09D562B1DF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................`....C.k.....m.....X.....o...........Y.....h.....i.....n....Rich...........PE..L....A.O...........!................p.....................................................@..........................O.......F..x...................................................................0F..@...............l............................text...~........................... ..`.rdata..............................@..@.data........p.......Z..............@....rsrc................\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-4TLUB.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):199680
                                                                                                                                                                                                          Entropy (8bit):6.678065290017203
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:/zcwXcVnDhH5YI6KkEK7207EmrRelzafK+AnF4xH6dVHwpXpE92jDBSRYO6s0eEw:TUDF5YTyBJuF6DHwpXpfSRYO6Z
                                                                                                                                                                                                          MD5:6E84AF2875700285309DD29294365C6A
                                                                                                                                                                                                          SHA1:FC3CB3B2A704250FC36010E2AB495CDC5E7378A9
                                                                                                                                                                                                          SHA-256:1C158E680749E642E55F721F60A71314E26E03E785CD92E560BF650B83C4C3C8
                                                                                                                                                                                                          SHA-512:0ADD9479B2FD631BAFC617C787BCA331E915EDC6A29DD72269B6A24490EC1C85E677698E07944F5FF3BD8D849D3D20ACE61A194A044C697FEFCF992C6F05E747
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Wp.6...6...6..-x...6...@...6...@...6...@...6...N...6...6..m6...@...6...@...6...@...6...@...6..Rich.6..........PE..L...lA.O...........!.....^...........h.......p...............................p............@..............................+..<...x....0.......................@..."..................................X...@............p..`............................text....].......^.................. ..`.rdata...s...p...t...b..............@..@.data...P(..........................@....tls......... ......................@....rsrc........0......................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-95ERF.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):798720
                                                                                                                                                                                                          Entropy (8bit):6.523188898405281
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24576:uN/cDx/LcwkjTGAq8f54Y6ifuGJk3c8IXRvg/W68IALE/ZcaFL4FzS17BAw:6ci+m9LEazS1
                                                                                                                                                                                                          MD5:A1C4628D184B6AB25550B1CE74F44792
                                                                                                                                                                                                          SHA1:C2C447FD2FDA68C0EC44B3529A2550D2E2A8C3BC
                                                                                                                                                                                                          SHA-256:3F997D3F1674DE9FD119F275638861BC229352F12C70536D8C83A70FCC370847
                                                                                                                                                                                                          SHA-512:07737AC24C91645D9B4D376327B84CB0B470CECBAD60920D7EE0E9B11EF4EEB8EE68FB38BF74B5D1F8817D104CECC65E461950242D940E8FF9CA64CE9D3FFBB7
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^..............T.......Y......l.......[..............m.T.....\.......].......Z.....Rich............PE..L....A.O...........!.....2..........V;.......P...............................p............@..........................z..zb...Z..................................TS..................................0Z..@............P...............................text...^0.......2.................. ..`.rdata.......P.......6..............@..@.data...............................@....rsrc...............................@..@.reloc...\.......^..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-A2P13.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):56
                                                                                                                                                                                                          Entropy (8bit):4.503434386188784
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
                                                                                                                                                                                                          MD5:E40A3D559E4B85251943E071CD036D90
                                                                                                                                                                                                          SHA1:10FC58DF075108C912589F7954244A807776A0FB
                                                                                                                                                                                                          SHA-256:E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
                                                                                                                                                                                                          SHA-512:07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview://..lockPref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-AR2RP.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):190976
                                                                                                                                                                                                          Entropy (8bit):6.662915165682162
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:82ya/vPWqodwFYAjkiV6vnjBr/WPUShgk04YZEnhacoAX8+FeHbnGmgjZzpTBfRP:j7JoiVGj+hIWNmKFpTBJ8B
                                                                                                                                                                                                          MD5:717DBDF0E1F616EA8A038259E273C530
                                                                                                                                                                                                          SHA1:926CE8EC8F79B62202ED487C5FB0C3E1A18F5F70
                                                                                                                                                                                                          SHA-256:E3227EA4C39F5B44F685EEA13D9F6663945E46B12CABE5D29DAEF28B6EEF1A9B
                                                                                                                                                                                                          SHA-512:C09BF38AC93C350DFD0638BEEDD40FBCC9435A06B0013D214F57B181C1B4292E4B8A8310DB2DB48200BCFED872BC656EA92A207ACB6F7B344E3F134226C2AB3F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Af......................jq......jq=.....jq..............jq<.5...jq......jq......jq......Rich............................PE..L....A.O...........!.................".......0............................... ............@.........................p...j.......................................l......................................@............0...............................text............................... ..`.rdata......0......................@..@.data...<...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-BMPIV.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):90
                                                                                                                                                                                                          Entropy (8bit):4.4385634049235
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
                                                                                                                                                                                                          MD5:30573ACFC9586271A3F800A10C284479
                                                                                                                                                                                                          SHA1:9CC1A1329258379698A04C33DC5D62E9CE8E06FD
                                                                                                                                                                                                          SHA-256:30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
                                                                                                                                                                                                          SHA-512:4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-C1AJE.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):59664
                                                                                                                                                                                                          Entropy (8bit):5.552981290836808
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:/RQvLjWiALqLkHbp7m8GYT3WXs39i4zv:/Vz2Lk71m8Ge3WXs1
                                                                                                                                                                                                          MD5:5D077A0CDD077C014EEDB768FEB249BA
                                                                                                                                                                                                          SHA1:EA2C62D69A1F6B9D643FE16319EC7632C9533B3F
                                                                                                                                                                                                          SHA-256:8A830C48C4D78159DD80F4DAD81C0BEBBF9314710026B1A2EF0FFDDDCB24B83D
                                                                                                                                                                                                          SHA-512:71BF48DCB6916A810F63710968894B431357AA694AA169067F567CC82B8E4EE732F581AFB85B256E5C5A9D15A8B7B5746FA6A8B4127B273FEB5B0E03E91B607A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;.}h.}h.}hh.nh.}h.|h..}h...h.}h.{h.}h.}h..}hRich.}h................PE..L....B.5.....................l............................................... ..........................................................0W..................................................................@........................................text............................... ..`.data...............................@....rsrc...0W.......X..................@..@.0248...c,.5C....[.5P....[.5]......5i...b,.5u...........MSVCRT.dll.ADVAPI32.dll.KERNEL32.dll.CRYPT32.dll.CRYPTUI.dll.USER32.dll.........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-CVN83.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):12288
                                                                                                                                                                                                          Entropy (8bit):5.576295270591411
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:y8/u6mEWZYr/YDmJrFirLPAxHU413X7PVlD63YlFfP:1/uHE6Yr/Y+h0AlU4prPVlZlFfP
                                                                                                                                                                                                          MD5:9AE76DB13972553A5DE5BDD07B1B654D
                                                                                                                                                                                                          SHA1:0C4508EB6F13B9B178237CCC4DA759BFF10AF658
                                                                                                                                                                                                          SHA-256:38A906373419501966DAF6EC19CA2F8DB7B29609128AE5CB424D2AA511652C29
                                                                                                                                                                                                          SHA-512:DB6FD98A2B27DD7622F10491BBA08793D26AB59016D6862168AAD278644F737DDDBD312A690DED5091D5E999DC3C3518FD95B200124BE8349829E5CE6685CF4B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................g......j......_......h............^......o......n......i....Rich............................PE..L...mA.O...........!.................".......0...............................p............@.........................P6......l2..P....P.......................`.......................................1..@............0...............................text............................... ..`.rdata..R....0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc..(....`.......,..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-ESKI4.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PEM certificate
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1574
                                                                                                                                                                                                          Entropy (8bit):5.905699622879769
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:LrcG/hfz7O7nw+U7KjD0GGicvgUvih9DfJJ/GWb6YUOBceQEjY1CkRi8XJ:LrcGpfz7Snw+U7pGVUwBjGWb69OAR55
                                                                                                                                                                                                          MD5:CBF5A63CD967ED0D899F0C6D173C0BC6
                                                                                                                                                                                                          SHA1:FAF581B198C85AB2A57914E21F31BEC7609DC871
                                                                                                                                                                                                          SHA-256:CFD3AD2B4B7F86FFAD7056078F0490291BE71C5E0A0630F1E45DDE452BA5D81A
                                                                                                                                                                                                          SHA-512:E6F268F1581691EC4A4BD6B818CCABFA27BA7F07400F1732003C9E5B26865CAF8BAEC2B2EC4BE52BC0E6A4B51C661E851952E946D7BB5FEF764BB3124A315F8A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:-----BEGIN CERTIFICATE-----.MIIEXTCCA0WgAwIBAgIJAK/4uEUcRr/QMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTQxMTEx.MTk0NjIzWhcNMjQxMTA4MTk0NjIzWjCBvDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEYMBYGA1UEAwwPUkRNIERldmljZSBSb290MSIwIAYJKoZIhvcNAQkB.FhNzdXBwb3J0QHJkbWNvcnAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB.CgKCAQEA501CdfXCdhUItY0JA5Y0MJ/TK/OH5UTVicWn+Knyi0GRGNDIh5N9dDeo.5X21bwACHZtHpWwMiL2PcH+hR0dw2Fmf6zDQBYKGeGy6wU7L0b7S8TbyivGW+Ks9.pS4LRQoKnzY6eF9bIxFhbaUBgbq/KJWxQIm4EOXMSejmgmk/Koh9+7P8jVb9kp1S.9AaVDz45j6b/zTkzzR4EP+GVVozWMZN4whDmE2EprxzcCkxr1GY0mEfHxCjLq2il.rF9Mz6Cr1vL19Gu1HxMbdAJSM1qIAxAG5Xbl9oAPzMUHwzdXpLzj9hfhkzqUFV

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-FHH1A.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):370176
                                                                                                                                                                                                          Entropy (8bit):6.863300763286356
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:eeP90QTcdMTWfpUwFygo5zUM38ME/Hs3nXHkUX:eA/TcWTWfpf0gmzY03nXHkUX
                                                                                                                                                                                                          MD5:D1243817A1B22B855DE0852CF5B53BF5
                                                                                                                                                                                                          SHA1:C64F4851A2FCFE8D1E4A5B5743498870B676755E
                                                                                                                                                                                                          SHA-256:93E99CFBA00348BE3A102DC9F41ACD39BBA91D7F4E0149A9EA6C53FCC50ADAEE
                                                                                                                                                                                                          SHA-512:59ABD87F8DA58F0F4D8D3919A84B2E4FA853AA0E76DBFEA3BC011E21267909ED7C3BB42A714F030773767329A8D3DA0810E789AB5A061BC0E4452159849C4CC2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......??fs{^. {^. {^. r&. y^. .(. z^. .(. y^. .(. r^. {^. C^. .(. R^. .(. z^. .(. z^. .(. z^. Rich{^. ................PE..L....A.O...........!......................................................................@..........................6..P...L1..x...............................t,...................................0..@............................................text............................... ..`.rdata..07.......8..................@..@.data....T...@...R... ..............@....rsrc................r..............@..@.reloc.../.......0...v..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-H9RI2.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):103
                                                                                                                                                                                                          Entropy (8bit):4.493835447768373
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
                                                                                                                                                                                                          MD5:9556062A739F56D168C1581A11192A17
                                                                                                                                                                                                          SHA1:81EE37E3990A004B9F50CBE99D512A5A5247AA90
                                                                                                                                                                                                          SHA-256:D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
                                                                                                                                                                                                          SHA-512:57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-IQELN.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):222208
                                                                                                                                                                                                          Entropy (8bit):6.697487951906348
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:ScTE2XtnPcWNo4eT4hs8LP71DRIUqqDL67PXGHrIrH:lTE2XtNrLP71Dyxqn6jI
                                                                                                                                                                                                          MD5:269BEB631B580C6D54DB45B5573B1DE5
                                                                                                                                                                                                          SHA1:64050C1159C2BCFC0E75DA407EF0098AD2DE17C8
                                                                                                                                                                                                          SHA-256:FFC7558A61A4E6546CF095BDEABEA19F05247A0DAA02DCA20EA3605E7FC62C77
                                                                                                                                                                                                          SHA-512:649CD40F3E02C2F2711F56AA21F39CCBDA9108143D4766A9728C9AD98F329D5F64F77090DF769C55B66AB48FB9AA4A380944EBE54F2C450F96CF76E5A6ADD31E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[x.5+.5+.5+..+.5+..+.5+..+.5+..+.5+.4+..5+..+.5+..+.5+..+.5+..+.5+Rich.5+................PE..L....A.O...........!.....\...J.......f.......p............................................@..........................U..O...,M..x...............................,...................................hL..@............p..x............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....F...`.......F..............@....rsrc................H..............@..@.reloc..x............L..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-LT8OJ.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):14336
                                                                                                                                                                                                          Entropy (8bit):5.794541181301596
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:y39iNAtUyE7ioVwAFzuh+pOWo1v26wJMnnnLIQBIc3X7PVlD6QHS6CV+:mRUyZoVwAFzusie6wcZxrPVlpHS6c+
                                                                                                                                                                                                          MD5:1FAE68B740F18290B98B2F9E23313CC2
                                                                                                                                                                                                          SHA1:FA3545DC8DB38B3B27F1009E1D61DC2949DF3878
                                                                                                                                                                                                          SHA-256:751C2156DC00525668DD990D99F7F61C257951C3FAD01C0EE6359FCDFF69F933
                                                                                                                                                                                                          SHA-512:5386AAD83C76C625E2D64439B2B25BDA8D0F8B1EB9344B58306883B66675D1F1E98E3189C1BC29CD4B2C98A9D4A594761488AAE04D3748BBA5775A51425B11EC
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vx..2...2...2...;aS.0...]o^.3...]ok.0...]o\.7...2.......]oj.(...]o[.3...]oZ.3...]o].3...Rich2...................PE..L...oA.O...........!.................'.......0...............................p............@......................... 8.......3..P....P.......................`.......................................3..@............0...............................text...T........................... ..`.rdata.......0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......4..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-LUR6P.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):108544
                                                                                                                                                                                                          Entropy (8bit):6.45689405407938
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:ES2ipxnUGhrFxZHkZvmYHG+iI2iV6nu+ZfX6AKVqzzF+:ES2ipxUSwv/m+1rAKVqz5
                                                                                                                                                                                                          MD5:051652BA7CA426846E936BC5AA3F39F3
                                                                                                                                                                                                          SHA1:0012007876DDE3A2D764249AD86BC428300FE91E
                                                                                                                                                                                                          SHA-256:8ECA993570FA55E8FE8F417143EEA8128A58472E23074CBD2E6AF4D3BB0F0D9A
                                                                                                                                                                                                          SHA-512:005B22BD5A4CCA9930C5ECA95AF01FC034BB496F4E599CAC3F20B0B9CE0957B4DB685B8E47977E5B289DC5CF1C8A81F4DD7434D0347E41D008E2C8F7F12006F0
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D[...[...[...R...Y.......S...4...Z...4...Y...4...P...[......4./.z...4...Z...4...Z...4...Z...Rich[...........................PE..L....A.O...........!.....n...:.......w....................................................@............................................................................................................@...............D............................text....l.......n.................. ..`.rdata...............r..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-NRDDP.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):172544
                                                                                                                                                                                                          Entropy (8bit):6.496240878001019
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:KfHTwBGo4uYvGG3byHhQNP4IP/zsu9zvKwMNJ+Z/9tRpK:KsGTudG3GHhMz3SNY9R
                                                                                                                                                                                                          MD5:2AB31C9401870ADB4E9D88B5A6837ABF
                                                                                                                                                                                                          SHA1:4F0FDD699E63F614D79ED6E47EF61938117D3B7A
                                                                                                                                                                                                          SHA-256:22ECECE561510F77B100CFF8109E5ED492C34707B7B14E0774AAA9CA813DE4AD
                                                                                                                                                                                                          SHA-512:BC58C4DA15E902351F1F161E9D8C1EE4D10ACEB5EDA7DEF4B4454CADF4CD9F437118BA9D63F25F4F0A5694E9D34A4DEF33D40AD51EFB1CDEBB6F02A81C481871
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.e./.6./.6./.6.W.6./.6;a.6./.6.Y.6./.6.Y36./.6.Y.6./.6./.61/.6.Y26./.6.Y.6./.6.Y.6./.6.Y.6./.6Rich./.6................PE..L....A.O...........!.....*...x.......3.......@............................................@.................................<...................................|...................................x...@............@...............................text....(.......*.................. ..`.rdata...O...@...P..................@..@.data................~..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-P4SR6.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):103936
                                                                                                                                                                                                          Entropy (8bit):6.464020030097691
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:est2WKOxRTftkVeSl8w5d3wgtRgc7k8w:GWKOzTlkVzl8w8yRDA8w
                                                                                                                                                                                                          MD5:0C6B43C9602F4D5AC9DCF907103447C4
                                                                                                                                                                                                          SHA1:7A77C7AE99D400243845CCE0E0931F029A73F79A
                                                                                                                                                                                                          SHA-256:5950722034C8505DAA9B359127FEB707F16C37D2F69E79D16EE6D9EC37690478
                                                                                                                                                                                                          SHA-512:B21B34A5886A3058CE26A6A5A6EAD3B1EBAE62354540492FB6508BE869E7D292B351C0913461B47C4CC0C6A73333AAD33CD9399BCB1F83C7DACFDB7F2EE1F7A9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P..........................{......{......{.........6..{./....{......Rich...........................PE..L....A.O..........................................@.......................................@.................................Tq.......................................................................p..@...............h............................text...d........................... ..`.rdata..............................@..@.data................z..............@....reloc..D............|..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-PKI7I.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):423936
                                                                                                                                                                                                          Entropy (8bit):6.751461394308889
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:Cf41DoFqNI3Cm39XWYJkW07RlqHYOE1o2exosU8iZEJKvncrghAvLWDKnADA3/AF:DD76rrQ7ngYLo2MliPSghmLYk3/n
                                                                                                                                                                                                          MD5:B58848A28A1EFB85677E344DB1FD67E6
                                                                                                                                                                                                          SHA1:DAD48E2B2B3B936EFC15AC2C5F9099B7A1749976
                                                                                                                                                                                                          SHA-256:00DB98AB4D50E9B26ECD193BFAD6569E1DD395DB14246F8C233FEBBA93965F7A
                                                                                                                                                                                                          SHA-512:762B3BD7F1F1A5C3ACCDE8C36406B9BEADD4270C570EB95A05935C1F7731513938AE5E99950C648B1EACDD2A85F002319B78B7E4EA9577C72335A2FA54796B13
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,J..h+.Yh+.Yh+.YaS0Yj+.Y.]?Yk+.Yh+.Y&+.Y.]=Yd+.Y.].Yj+.Y.].Yf+.Y.]8Yi+.Y.]>Yi+.YRichh+.Y........................PE..L....A.O...........!......................................................................@..........................J.......C..<...............................@&..................................@B..@...............@............................text............................... ..`.rdata..............................@..@.data........`.......D..............@....reloc..Z(.......*...N..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-Q26OU.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):239
                                                                                                                                                                                                          Entropy (8bit):5.244078670555102
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6:rFHGxQ61kH7HE9bwe9hc1axKsyyL4eJ/nleB/H7HE9bkgjqY1axKs5v:r026ebH279hc14KsyyL/J/nAB/bH271e
                                                                                                                                                                                                          MD5:2F75CB7D681782F34E407A53FB42DF05
                                                                                                                                                                                                          SHA1:4371FB4F570BBCE02FFCF374D7F093B583E653B0
                                                                                                                                                                                                          SHA-256:203862ED6BA60B1BBB22C5777ED47E69FE75EF51F5C497B3D832BBF4DD736780
                                                                                                                                                                                                          SHA-512:DFC70F8C5322385B67C6C19B4F9D2D21BD024E3C6CE62384CC283DDA0D03A13DB691229D76B302FAD04D518928F71175ADCFFCFD4FED0B2A93FFB417BD90B1B8
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:FOR /F "tokens=*" %%A IN ('dir /B "%APPDATA%\Mozilla\Firefox\Profiles\*.default*"') DO set FIREFOX_PROFILE_DIR=%%A..%2\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "%APPDATA%\Mozilla\Firefox\Profiles\%FIREFOX_PROFILE_DIR%\." -i %1..

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\is-TO3GK.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):99678
                                                                                                                                                                                                          Entropy (8bit):2.399880160860077
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:ckeXhftI9DRRRQwXF6jI2PmdFUMUaaS8FPm0AjaP:ZexftsDRRRPSP
                                                                                                                                                                                                          MD5:C6B1F4998CA0242B1EB448C9694EFF20
                                                                                                                                                                                                          SHA1:D002E4878B16AFD33885553F3507BA2BC23E2179
                                                                                                                                                                                                          SHA-256:15C5C4D9FC4E4FCD10D130A558D4F89931340B40EB6FAECB0BCE1FB5CCCC1CAB
                                                                                                                                                                                                          SHA-512:902117AA14D95A3493D4DB341CE1DCBCF07D8ADA9DF8E4B29100C5FC7D8E732245D9512AE378C9BF2EAA2AEA9B371F089D0BCDD66B71B1EEF84D931874E8528A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:............ .h...V... .... .........00.... ..%..f...@@.... .(B...;........ .(...6}..(....... ..... .....@...................................................................................................................................................................................................................................................................................................................................................uW....Y....wY..y[..uW..uW..wZ....n....uW.....}`........Y..f..uW....Y...x.uW....p.uW....H...=.uW....I.uW.....uW....O...Y..f..uW..}a..x[...f.....uW.........vX..wY..uW...._..k..}a....R..f..uW....C....y\..{^..uW.........vX..x[..uW...i......}a...i...f..uW...n$...\.vX...i..uW...u...m".vY....[.uW..uW........M.uW...f...w1..w1..w1...N.....w1..w1...@........w1..z6.........w1...D...........................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\libnspr4.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):199680
                                                                                                                                                                                                          Entropy (8bit):6.678065290017203
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:/zcwXcVnDhH5YI6KkEK7207EmrRelzafK+AnF4xH6dVHwpXpE92jDBSRYO6s0eEw:TUDF5YTyBJuF6DHwpXpfSRYO6Z
                                                                                                                                                                                                          MD5:6E84AF2875700285309DD29294365C6A
                                                                                                                                                                                                          SHA1:FC3CB3B2A704250FC36010E2AB495CDC5E7378A9
                                                                                                                                                                                                          SHA-256:1C158E680749E642E55F721F60A71314E26E03E785CD92E560BF650B83C4C3C8
                                                                                                                                                                                                          SHA-512:0ADD9479B2FD631BAFC617C787BCA331E915EDC6A29DD72269B6A24490EC1C85E677698E07944F5FF3BD8D849D3D20ACE61A194A044C697FEFCF992C6F05E747
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Wp.6...6...6..-x...6...@...6...@...6...@...6...N...6...6..m6...@...6...@...6...@...6...@...6..Rich.6..........PE..L...lA.O...........!.....^...........h.......p...............................p............@..............................+..<...x....0.......................@..."..................................X...@............p..`............................text....].......^.................. ..`.rdata...s...p...t...b..............@..@.data...P(..........................@....tls......... ......................@....rsrc........0......................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\libplc4.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):14336
                                                                                                                                                                                                          Entropy (8bit):5.794541181301596
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:y39iNAtUyE7ioVwAFzuh+pOWo1v26wJMnnnLIQBIc3X7PVlD6QHS6CV+:mRUyZoVwAFzusie6wcZxrPVlpHS6c+
                                                                                                                                                                                                          MD5:1FAE68B740F18290B98B2F9E23313CC2
                                                                                                                                                                                                          SHA1:FA3545DC8DB38B3B27F1009E1D61DC2949DF3878
                                                                                                                                                                                                          SHA-256:751C2156DC00525668DD990D99F7F61C257951C3FAD01C0EE6359FCDFF69F933
                                                                                                                                                                                                          SHA-512:5386AAD83C76C625E2D64439B2B25BDA8D0F8B1EB9344B58306883B66675D1F1E98E3189C1BC29CD4B2C98A9D4A594761488AAE04D3748BBA5775A51425B11EC
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vx..2...2...2...;aS.0...]o^.3...]ok.0...]o\.7...2.......]oj.(...]o[.3...]oZ.3...]o].3...Rich2...................PE..L...oA.O...........!.................'.......0...............................p............@......................... 8.......3..P....P.......................`.......................................3..@............0...............................text...T........................... ..`.rdata.......0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......4..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\libplds4.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):12288
                                                                                                                                                                                                          Entropy (8bit):5.576295270591411
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:192:y8/u6mEWZYr/YDmJrFirLPAxHU413X7PVlD63YlFfP:1/uHE6Yr/Y+h0AlU4prPVlZlFfP
                                                                                                                                                                                                          MD5:9AE76DB13972553A5DE5BDD07B1B654D
                                                                                                                                                                                                          SHA1:0C4508EB6F13B9B178237CCC4DA759BFF10AF658
                                                                                                                                                                                                          SHA-256:38A906373419501966DAF6EC19CA2F8DB7B29609128AE5CB424D2AA511652C29
                                                                                                                                                                                                          SHA-512:DB6FD98A2B27DD7622F10491BBA08793D26AB59016D6862168AAD278644F737DDDBD312A690DED5091D5E999DC3C3518FD95B200124BE8349829E5CE6685CF4B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................g......j......_......h............^......o......n......i....Rich............................PE..L...mA.O...........!.................".......0...............................p............@.........................P6......l2..P....P.......................`.......................................1..@............0...............................text............................... ..`.rdata..R....0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc..(....`.......,..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\local-settings.js (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):90
                                                                                                                                                                                                          Entropy (8bit):4.4385634049235
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
                                                                                                                                                                                                          MD5:30573ACFC9586271A3F800A10C284479
                                                                                                                                                                                                          SHA1:9CC1A1329258379698A04C33DC5D62E9CE8E06FD
                                                                                                                                                                                                          SHA-256:30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
                                                                                                                                                                                                          SHA-512:4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\nss3.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):798720
                                                                                                                                                                                                          Entropy (8bit):6.523188898405281
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24576:uN/cDx/LcwkjTGAq8f54Y6ifuGJk3c8IXRvg/W68IALE/ZcaFL4FzS17BAw:6ci+m9LEazS1
                                                                                                                                                                                                          MD5:A1C4628D184B6AB25550B1CE74F44792
                                                                                                                                                                                                          SHA1:C2C447FD2FDA68C0EC44B3529A2550D2E2A8C3BC
                                                                                                                                                                                                          SHA-256:3F997D3F1674DE9FD119F275638861BC229352F12C70536D8C83A70FCC370847
                                                                                                                                                                                                          SHA-512:07737AC24C91645D9B4D376327B84CB0B470CECBAD60920D7EE0E9B11EF4EEB8EE68FB38BF74B5D1F8817D104CECC65E461950242D940E8FF9CA64CE9D3FFBB7
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^..............T.......Y......l.......[..............m.T.....\.......].......Z.....Rich............PE..L....A.O...........!.....2..........V;.......P...............................p............@..........................z..zb...Z..................................TS..................................0Z..@............P...............................text...^0.......2.................. ..`.rdata.......P.......6..............@..@.data...............................@....rsrc...............................@..@.reloc...\.......^..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\nssckbi.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):370176
                                                                                                                                                                                                          Entropy (8bit):6.863300763286356
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:eeP90QTcdMTWfpUwFygo5zUM38ME/Hs3nXHkUX:eA/TcWTWfpf0gmzY03nXHkUX
                                                                                                                                                                                                          MD5:D1243817A1B22B855DE0852CF5B53BF5
                                                                                                                                                                                                          SHA1:C64F4851A2FCFE8D1E4A5B5743498870B676755E
                                                                                                                                                                                                          SHA-256:93E99CFBA00348BE3A102DC9F41ACD39BBA91D7F4E0149A9EA6C53FCC50ADAEE
                                                                                                                                                                                                          SHA-512:59ABD87F8DA58F0F4D8D3919A84B2E4FA853AA0E76DBFEA3BC011E21267909ED7C3BB42A714F030773767329A8D3DA0810E789AB5A061BC0E4452159849C4CC2
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......??fs{^. {^. {^. r&. y^. .(. z^. .(. y^. .(. r^. {^. C^. .(. R^. .(. z^. .(. z^. .(. z^. Rich{^. ................PE..L....A.O...........!......................................................................@..........................6..P...L1..x...............................t,...................................0..@............................................text............................... ..`.rdata..07.......8..................@..@.data....T...@...R... ..............@....rsrc................r..............@..@.reloc.../.......0...v..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\nssdbm3.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):108544
                                                                                                                                                                                                          Entropy (8bit):6.45689405407938
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:ES2ipxnUGhrFxZHkZvmYHG+iI2iV6nu+ZfX6AKVqzzF+:ES2ipxUSwv/m+1rAKVqz5
                                                                                                                                                                                                          MD5:051652BA7CA426846E936BC5AA3F39F3
                                                                                                                                                                                                          SHA1:0012007876DDE3A2D764249AD86BC428300FE91E
                                                                                                                                                                                                          SHA-256:8ECA993570FA55E8FE8F417143EEA8128A58472E23074CBD2E6AF4D3BB0F0D9A
                                                                                                                                                                                                          SHA-512:005B22BD5A4CCA9930C5ECA95AF01FC034BB496F4E599CAC3F20B0B9CE0957B4DB685B8E47977E5B289DC5CF1C8A81F4DD7434D0347E41D008E2C8F7F12006F0
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D[...[...[...R...Y.......S...4...Z...4...Y...4...P...[......4./.z...4...Z...4...Z...4...Z...Rich[...........................PE..L....A.O...........!.....n...:.......w....................................................@............................................................................................................@...............D............................text....l.......n.................. ..`.rdata...............r..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\nssutil3.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):93696
                                                                                                                                                                                                          Entropy (8bit):6.44977499578729
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:W3Hq5zbjpPQ4Y0epuuwCbDz5xAFKL8kycL7:gHQxPQfGuz5uFKL8kyu7
                                                                                                                                                                                                          MD5:C26E940B474728E728CAFE5912BA418A
                                                                                                                                                                                                          SHA1:7256E378A419F8D87DE71835E6AD12FAADAAAF73
                                                                                                                                                                                                          SHA-256:1AF1AC51A92B36DE8D85D1F572369815404912908C3A489A6CD7CA2350C2A93D
                                                                                                                                                                                                          SHA-512:BD8673FACD416C8F2EB9A45C4DEEF50E53D0BC41E6B3941FC20CDA8E2D88267205526DADB44BD89869BD333BF7D6F8DB589C95997E1F3322F7A66A09D562B1DF
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................`....C.k.....m.....X.....o...........Y.....h.....i.....n....Rich...........PE..L....A.O...........!................p.....................................................@..........................O.......F..x...................................................................0F..@...............l............................text...~........................... ..`.rdata..............................@..@.data........p.......Z..............@....rsrc................\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PEM certificate
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):1574
                                                                                                                                                                                                          Entropy (8bit):5.905699622879769
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:LrcG/hfz7O7nw+U7KjD0GGicvgUvih9DfJJ/GWb6YUOBceQEjY1CkRi8XJ:LrcGpfz7Snw+U7pGVUwBjGWb69OAR55
                                                                                                                                                                                                          MD5:CBF5A63CD967ED0D899F0C6D173C0BC6
                                                                                                                                                                                                          SHA1:FAF581B198C85AB2A57914E21F31BEC7609DC871
                                                                                                                                                                                                          SHA-256:CFD3AD2B4B7F86FFAD7056078F0490291BE71C5E0A0630F1E45DDE452BA5D81A
                                                                                                                                                                                                          SHA-512:E6F268F1581691EC4A4BD6B818CCABFA27BA7F07400F1732003C9E5B26865CAF8BAEC2B2EC4BE52BC0E6A4B51C661E851952E946D7BB5FEF764BB3124A315F8A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:-----BEGIN CERTIFICATE-----.MIIEXTCCA0WgAwIBAgIJAK/4uEUcRr/QMA0GCSqGSIb3DQEBCwUAMIG8MQswCQYD.VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAW.BgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIElu.dGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJv.b3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wHhcNMTQxMTEx.MTk0NjIzWhcNMjQxMTA4MTk0NjIzWjCBvDELMAkGA1UEBhMCQ0ExEDAOBgNVBAgM.B09udGFyaW8xETAPBgNVBAcMCFdhdGVybG9vMRgwFgYDVQQKDA9SRE0gQ29ycG9y.YXRpb24xMDAuBgNVBAsMJ0RldmljZSAtIGZvciBJbnRlcm5hbCBJbnRyYW5ldCB1.c2UgT25seTEYMBYGA1UEAwwPUkRNIERldmljZSBSb290MSIwIAYJKoZIhvcNAQkB.FhNzdXBwb3J0QHJkbWNvcnAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB.CgKCAQEA501CdfXCdhUItY0JA5Y0MJ/TK/OH5UTVicWn+Knyi0GRGNDIh5N9dDeo.5X21bwACHZtHpWwMiL2PcH+hR0dw2Fmf6zDQBYKGeGy6wU7L0b7S8TbyivGW+Ks9.pS4LRQoKnzY6eF9bIxFhbaUBgbq/KJWxQIm4EOXMSejmgmk/Koh9+7P8jVb9kp1S.9AaVDz45j6b/zTkzzR4EP+GVVozWMZN4whDmE2EprxzcCkxr1GY0mEfHxCjLq2il.rF9Mz6Cr1vL19Gu1HxMbdAJSM1qIAxAG5Xbl9oAPzMUHwzdXpLzj9hfhkzqUFV

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\smime3.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):97792
                                                                                                                                                                                                          Entropy (8bit):6.240650542976671
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:xtTRGG7+CF7k9QTPHkis9rGDE9tJ7kdsolb5XpIKz1TpNs6IRcgAGEFDGSs1f8b6:xGG6CF7k9QbHkCE9tJ7kdsW5Xh5s6IRV
                                                                                                                                                                                                          MD5:A5C670EDF4411BF7F132F4280026137B
                                                                                                                                                                                                          SHA1:C0E3CBDDE7D3CEBF41A193EECA96A11CE2B6DA58
                                                                                                                                                                                                          SHA-256:ABA2732C7A016730E94E645DD04E8FAFCC173FC2E5E2AAC01A1C0C66EAD1983E
                                                                                                                                                                                                          SHA-512:ACFCDE89A968D81363AE1CD599A6A362B047AE207722FEA8541577AC609BC5FEFB2231ED946E13F0B4B3BCD56B947C13837C1B9E360D521EC7D580BEFCBB0F46
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.?...4.k.Y...7.k.Y...4.k.Y...;.k.6.j..k.Y.....k.Y..7.k.Y..7.k.Y...7.k.Rich6.k.........................PE..L....A.O...........!.........j...............0............................................@.........................Pj..v...\N.......................................................................M..@............0...............................text............................... ..`.rdata...S...0...T..................@..@.data...h............l..............@....rsrc................n..............@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\softokn3.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):172544
                                                                                                                                                                                                          Entropy (8bit):6.496240878001019
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:KfHTwBGo4uYvGG3byHhQNP4IP/zsu9zvKwMNJ+Z/9tRpK:KsGTudG3GHhMz3SNY9R
                                                                                                                                                                                                          MD5:2AB31C9401870ADB4E9D88B5A6837ABF
                                                                                                                                                                                                          SHA1:4F0FDD699E63F614D79ED6E47EF61938117D3B7A
                                                                                                                                                                                                          SHA-256:22ECECE561510F77B100CFF8109E5ED492C34707B7B14E0774AAA9CA813DE4AD
                                                                                                                                                                                                          SHA-512:BC58C4DA15E902351F1F161E9D8C1EE4D10ACEB5EDA7DEF4B4454CADF4CD9F437118BA9D63F25F4F0A5694E9D34A4DEF33D40AD51EFB1CDEBB6F02A81C481871
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.e./.6./.6./.6.W.6./.6;a.6./.6.Y.6./.6.Y36./.6.Y.6./.6./.61/.6.Y26./.6.Y.6./.6.Y.6./.6.Y.6./.6Rich./.6................PE..L....A.O...........!.....*...x.......3.......@............................................@.................................<...................................|...................................x...@............@...............................text....(.......*.................. ..`.rdata...O...@...P..................@..@.data................~..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\sqlite3.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):423936
                                                                                                                                                                                                          Entropy (8bit):6.751461394308889
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:Cf41DoFqNI3Cm39XWYJkW07RlqHYOE1o2exosU8iZEJKvncrghAvLWDKnADA3/AF:DD76rrQ7ngYLo2MliPSghmLYk3/n
                                                                                                                                                                                                          MD5:B58848A28A1EFB85677E344DB1FD67E6
                                                                                                                                                                                                          SHA1:DAD48E2B2B3B936EFC15AC2C5F9099B7A1749976
                                                                                                                                                                                                          SHA-256:00DB98AB4D50E9B26ECD193BFAD6569E1DD395DB14246F8C233FEBBA93965F7A
                                                                                                                                                                                                          SHA-512:762B3BD7F1F1A5C3ACCDE8C36406B9BEADD4270C570EB95A05935C1F7731513938AE5E99950C648B1EACDD2A85F002319B78B7E4EA9577C72335A2FA54796B13
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,J..h+.Yh+.Yh+.YaS0Yj+.Y.]?Yk+.Yh+.Y&+.Y.]=Yd+.Y.].Yj+.Y.].Yf+.Y.]8Yi+.Y.]>Yi+.YRichh+.Y........................PE..L....A.O...........!......................................................................@..........................J.......C..<...............................@&..................................@B..@...............@............................text............................... ..`.rdata..............................@..@.data........`.......D..............@....reloc..Z(.......*...N..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\ssl3.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):190976
                                                                                                                                                                                                          Entropy (8bit):6.662915165682162
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:82ya/vPWqodwFYAjkiV6vnjBr/WPUShgk04YZEnhacoAX8+FeHbnGmgjZzpTBfRP:j7JoiVGj+hIWNmKFpTBJ8B
                                                                                                                                                                                                          MD5:717DBDF0E1F616EA8A038259E273C530
                                                                                                                                                                                                          SHA1:926CE8EC8F79B62202ED487C5FB0C3E1A18F5F70
                                                                                                                                                                                                          SHA-256:E3227EA4C39F5B44F685EEA13D9F6663945E46B12CABE5D29DAEF28B6EEF1A9B
                                                                                                                                                                                                          SHA-512:C09BF38AC93C350DFD0638BEEDD40FBCC9435A06B0013D214F57B181C1B4292E4B8A8310DB2DB48200BCFED872BC656EA92A207ACB6F7B344E3F134226C2AB3F
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Af......................jq......jq=.....jq..............jq<.5...jq......jq......jq......Rich............................PE..L....A.O...........!.................".......0............................... ............@.........................p...j.......................................l......................................@............0...............................text............................... ..`.rdata......0......................@..@.data...<...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\umbrella.cfg (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):56
                                                                                                                                                                                                          Entropy (8bit):4.503434386188784
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
                                                                                                                                                                                                          MD5:E40A3D559E4B85251943E071CD036D90
                                                                                                                                                                                                          SHA1:10FC58DF075108C912589F7954244A807776A0FB
                                                                                                                                                                                                          SHA-256:E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
                                                                                                                                                                                                          SHA-512:07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview://..lockPref("security.enterprise_roots.enabled", true);

                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):6144
                                                                                                                                                                                                          Entropy (8bit):4.720366600008286
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\cert8.db

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe
                                                                                                                                                                                                          File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                                          Entropy (8bit):1.4097925170857268
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:CrC2cmCKmB2cO4x/QxSMs6m3mSusOmzm9mi:ACCIB2dA5WSusvqgi
                                                                                                                                                                                                          MD5:3ED5AB9564924E31AAE67F324210760B
                                                                                                                                                                                                          SHA1:EA032153A32181951BCD2999AE5F5E3685DCCE60
                                                                                                                                                                                                          SHA-256:09E566F2005A221D7645878CB4F893504103859CABA1E35C6F6939F3365A9A6F
                                                                                                                                                                                                          SHA-512:F83DA6ECB7ECC48D9334207B26AD69A871BDCA623677BAFBA369B742693BD1160DA96C5237C3A1C315AA4DF1B112310FA49762DF25E2C27DF87B2DFAB926E1B3
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Preview:...a..........@..................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key3.db

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe
                                                                                                                                                                                                          File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):16384
                                                                                                                                                                                                          Entropy (8bit):1.0622546734467895
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:Lt/hV/plfltt/lE9lllnldl/lyGltdl/l8/fNDqLs982j8tgRpbw8aRay:5X9cvV3Xy/fH8abR+LD
                                                                                                                                                                                                          MD5:8D4326D44722860B3E304FF3EA69FD00
                                                                                                                                                                                                          SHA1:0AB8F46FC9A38003D85A6717AC95D7B1842957E7
                                                                                                                                                                                                          SHA-256:EB15D1D5D46F6DF22C2E46A73080E925F538DE71DB5D97CC86446ED759234723
                                                                                                                                                                                                          SHA-512:2037A9358AE3A68928C09C4FCF0062F38C0BC23F0C73EB3409FAE9BD9A868E0459F608DD18D2A52525454417144D05CD71276A487D9C143E52F7BF0CA86CEB7E
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\secmod.db

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe
                                                                                                                                                                                                          File Type:Berkeley DB 1.85 (Hash, version 2, native byte-order)
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):16384
                                                                                                                                                                                                          Entropy (8bit):1.06527195213375
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:5NGVqnXyLoXWvVC6aOudhBTWzol2LDcGuyrJvGyvP:SonXyLlv9uL5lzGVvP
                                                                                                                                                                                                          MD5:D4B4A690379752DDC019C79BEB30780A
                                                                                                                                                                                                          SHA1:9D0A068FCE35656ACF27BC54E72F0CE717C799DD
                                                                                                                                                                                                          SHA-256:524CEB5B5AC360A8D36DCC4B94772734799C36DAE18B0AEA80CBD7B8BE60F5AB
                                                                                                                                                                                                          SHA-512:6D0FE400D6AFBFBA87271F3D4805512478002FB59F7F1C1A26E1AB7761488E632E53DE31D54FC5A423BDBA7F6564E393D5050B4FA2AB2FB172E20A4B89EE36E0
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Preview:...a.............................................................n}.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):421200
                                                                                                                                                                                                          Entropy (8bit):6.59808962341698
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:iHEqYsrMWIqz473PTiPoH/aGhUgiW6QR7t5qv3Ooc8UHkC2eKq87:iH9YsIWIW4rPTiPofaDv3Ooc8UHkC2e8
                                                                                                                                                                                                          MD5:03E9314004F504A14A61C3D364B62F66
                                                                                                                                                                                                          SHA1:0AA3CAAC24FDF9D9D4C618E2BBF0A063036CD55D
                                                                                                                                                                                                          SHA-256:A3BA6421991241BEA9C8334B62C3088F8F131AB906C3CC52113945D05016A35F
                                                                                                                                                                                                          SHA-512:2FCFF4439D2759D93C57D49B24F28AE89B7698E284E76AC65FE2B50BDEFC23A8CC3C83891D671DE4E4C0F036CEF810856DE79AC2B028AA89A895BF35ABFF8C8D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._d..17..17..17...7..17..7..17..07 .17(..7..17..7..17..7..17..7..17..7..17..7..17..7..17..7..17Rich..17........................PE..L.....K.........."!.................<.............x......................................@.................................`...<.... ...............V..P....0..H;..p................................/..@...............p............................text............................... ..`.data...$:.......,..................@....rsrc........ ......................@..@.reloc...S...0...T..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):770384
                                                                                                                                                                                                          Entropy (8bit):6.908020029901359
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:fQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hR5:ImCy3VQs9MtLjTgfa3kon9FaOdEz5
                                                                                                                                                                                                          MD5:67EC459E42D3081DD8FD34356F7CAFC1
                                                                                                                                                                                                          SHA1:1738050616169D5B17B5ADAC3FF0370B8C642734
                                                                                                                                                                                                          SHA-256:1221A09484964A6F38AF5E34EE292B9AFEFCCB3DC6E55435FD3AAF7C235D9067
                                                                                                                                                                                                          SHA-512:9ED1C106DF217E0B4E4FBD1F4275486CEBA1D8A225D6C7E47B854B0B5E6158135B81BE926F51DB0AD5C624F9BD1D09282332CF064680DC9F7D287073B9686D33
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x.................................S....@..........................I......D...(.......................P....... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Installer\4b2a01.msi

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319., Template: Intel;0, Revision Number: {F035AD1C-45C3-4166-865F-C2F7CD4958B1}, Create Time/Date: Fri Mar 19 16:11:58 2010, Last Saved Time/Date: Fri Mar 19 16:11:58 2010, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):155136
                                                                                                                                                                                                          Entropy (8bit):6.337010677866242
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:sMf8zRfPfe6Ss7xJjc769oH12dwGNdJK0+E4mN2EKK995:ERHfeps7xRrldw7I
                                                                                                                                                                                                          MD5:CD2B99BB86BA6A499110C72B78B9324E
                                                                                                                                                                                                          SHA1:7A288418B36E681093B33DC169E4D27C2EE33EDD
                                                                                                                                                                                                          SHA-256:41F6B61E0C070C86E32D8777629DFC8E860848865FEFA0BA7D69E9FEF0A3B174
                                                                                                                                                                                                          SHA-512:17174B8F0186F05BE1E20215AAFD64797EC4F831A0D3E0E97ADE3F0A25CB6F78D1D8BF568DFEA1B2DE2ADD3A9D64AAA5B4319F7927301D5D73BBAB1B0EAAE3D5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                          C:\Windows\Installer\4b2a04.msi

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319., Template: Intel;0, Revision Number: {F035AD1C-45C3-4166-865F-C2F7CD4958B1}, Create Time/Date: Fri Mar 19 16:11:58 2010, Last Saved Time/Date: Fri Mar 19 16:11:58 2010, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):155136
                                                                                                                                                                                                          Entropy (8bit):6.337010677866242
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:sMf8zRfPfe6Ss7xJjc769oH12dwGNdJK0+E4mN2EKK995:ERHfeps7xRrldw7I
                                                                                                                                                                                                          MD5:CD2B99BB86BA6A499110C72B78B9324E
                                                                                                                                                                                                          SHA1:7A288418B36E681093B33DC169E4D27C2EE33EDD
                                                                                                                                                                                                          SHA-256:41F6B61E0C070C86E32D8777629DFC8E860848865FEFA0BA7D69E9FEF0A3B174
                                                                                                                                                                                                          SHA-512:17174B8F0186F05BE1E20215AAFD64797EC4F831A0D3E0E97ADE3F0A25CB6F78D1D8BF568DFEA1B2DE2ADD3A9D64AAA5B4319F7927301D5D73BBAB1B0EAAE3D5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                          C:\Windows\Installer\MSI2C81.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):16252
                                                                                                                                                                                                          Entropy (8bit):6.138899795585533
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:384:SipqWRW40Duy6kJ62TGomsbAGciKPRflciSWSx:S5WRW40qy6kJ62TGorAJiKPRui2
                                                                                                                                                                                                          MD5:3488EAF589DD3B8EA9264C0053391FA0
                                                                                                                                                                                                          SHA1:1DA2C3CECD28B774C43328E779DD5D5CA175E158
                                                                                                                                                                                                          SHA-256:6555744ECBE74E5A1214DDBF294FDF8379F182C7CCBD6D0725B07DB364FAE33B
                                                                                                                                                                                                          SHA-512:386F002FD30E5F2E7F0E6A2688BD1614343246E51E81C9E61668926BAB49DFA12DE4B78B5D92307AB3FB8E9C947445F16EE846C2EFB529B7B21A1B6305CBFBC0
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:...@IXOS.@.....@.r_Y.@.....@.....@.....@.....@.....@......&.{196BB40D-1578-3D01-B289-BEFC77A11A1E};.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319..vc_red.msi.@.....@ov...@.....@........&.{F035AD1C-45C3-4166-865F-C2F7CD4958B1}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@2....@.....@.]....&.{8453C4E7-26E8-3408-B3A4-5940CA95BC60}@.02:\SOFTWARE\Microsoft\VisualStudio\10.0\VC\VCRedist\x86\Version.@.......@.....@.....@......&.{1414BD84-D9A5-3EE5-AA73-118D7C072370}D.02:\SOFTWARE\Microsoft\DevDiv\vc\Servicing\10.0\red\x86\1033\Install.@.......@.....@.....@......&.{E2F46933-FF4F-46E0-B997-F64D2C6D4FA1}D.c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia100.dll.@.......@.....@.....@......&.{529D0A60-398C-38A2-97EF-82FAFA798A06}..c:\Win

                                                                                                                                                                                                          C:\Windows\Installer\SourceHash{196BB40D-1578-3D01-B289-BEFC77A11A1E}

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                          Entropy (8bit):1.5338780603477065
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:J6pptINToy5/poJegvZRdsH6DxDDZFNx:Y3tATFKUgvZRu61PZ
                                                                                                                                                                                                          MD5:EB6F224E512C9F18403A0EA6C4DE1575
                                                                                                                                                                                                          SHA1:A880AB21250CC294B4A6F88A964199A97B57A497
                                                                                                                                                                                                          SHA-256:5E8203A7538319936AE46F85C559BE75F42E0FCD180900CB812D71E0FE96463D
                                                                                                                                                                                                          SHA-512:FCC96656937FC6AF5907B1386F321403DFF1561B20C2F73C5D46DF0E7536AB924B45F6223C52301A9181418ED0812D0FE0D17D81C6748CF290B728A056CEA257
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                          Entropy (8bit):1.607334527089845
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:j8PhXuRc06WXJaFT5DNlt4SyedCVEJlQuSbedCcb6QWZfQBj:KhX1RFTNN34/nVAXWnLQWZoB
                                                                                                                                                                                                          MD5:A214D2C7AA9A869855CCA41B01407582
                                                                                                                                                                                                          SHA1:E12D0F31EB3BDA3008A1C822FC01E467BB067AC7
                                                                                                                                                                                                          SHA-256:B5EF2E2577020B983FBC6A9DF97557DBC483F339063ECF31C987FCA6C3DC5CE1
                                                                                                                                                                                                          SHA-512:2E4948F2B22C6E6D4EA08EA7A8E48EF03C3B2A6C10BC6D8AFEA8B51A923935F655010BFABA8587ED51D8015174E1CEEEC0C0A7ABFF2AA4750F4BB027137DF4B9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):432221
                                                                                                                                                                                                          Entropy (8bit):5.375164601628001
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau7:zTtbmkExhMJCIpErG
                                                                                                                                                                                                          MD5:7832AB464BFBDC85CFF6C44E04B95B89
                                                                                                                                                                                                          SHA1:2B6A6FE60C744BB09299219667B68B355B7477D3
                                                                                                                                                                                                          SHA-256:D5FB941CC023AD8C026195FB681D4A16871E7B6DD005B68D76AC651B3101DB36
                                                                                                                                                                                                          SHA-512:D2A86679E14A3EE3918DBA2434C879FCDA2A3E1515EE20BF5075A80D2B5DFDE9BD642F1044DF035E0F06D6AAFFDB583BB35E93FFEA5DD80B84F5B4291FC4FFDD
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                          C:\Windows\SysWOW64\RDMUtil.exe (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):72704
                                                                                                                                                                                                          Entropy (8bit):5.120663111013087
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:08OHRuSkCJ/fUHhO3YhnBtTmSOa+X4ZU9qZU9DrGIL:0REGJ/fUBOohLO34p5G
                                                                                                                                                                                                          MD5:E916105F7E59F8AD0F5B80B1E91D4F37
                                                                                                                                                                                                          SHA1:D4BC9CFDD22AC7FDB600BB3A67CA153C686C00DC
                                                                                                                                                                                                          SHA-256:BFF873FC93F1FDED5634C2771ED307F8D10AD0F08235F3B727A660A8DA1EEAE5
                                                                                                                                                                                                          SHA-512:B5176E542C2E9BFF51000A4A62C49330CF8AB21F02D13169C3982C850F22B3D1B3F5F8A916DFF5A0B0A78E43699E746ECB172A211CD32FF9AE2F9478DB3155CE
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.V...8...8...8..Q....8.......8..Q....8..Q....8..Q....8.j.....8.j.....8.......8.......8...9...8..Q....8.j.....8.j.....8.Rich..8.................PE..L...p..Y.................2...........7.......P....@..........................`.......&....@..................................Y...............................P......pR...............................U..@............P..0............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data........p.......N..............@....rsrc................P..............@..@.reloc..z....P......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\atl100.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):138056
                                                                                                                                                                                                          Entropy (8bit):6.453257536048564
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3072:XGAbjYAiKWDEvB+55/Ho4y6P5sxQ2euRA9ot:z+KWovoP/Ho4BP5wdUS
                                                                                                                                                                                                          MD5:36D7D05505951F542922DF4C725CC57D
                                                                                                                                                                                                          SHA1:074902FF54D30EF6EE2FD6EBE475526CAC84670C
                                                                                                                                                                                                          SHA-256:74B7C86B75CFAF5121554BD8CC4DD8E496458311070FA43B9B4FB13B4D8C8EAB
                                                                                                                                                                                                          SHA-512:4C7F9445703FC79F595739CFC0D4E24DADE4C9959F6CB24840B020E98943F4DBED9C2937187165452215AB0A683D1159C4D629E22BFFA625BF08286FCE657889
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-..ni..=i..=i..=`.z=k..=..g=f..=..S=...=`.j=j..=i..=...=..R=D..=..b=h..=..c=h..=..d=h..=Richi..=........PE..L.....K.........."!.........x.....................x.........................`......*.....@.........................P...........(........"..............H....0.. ....................................@..@...............|............................text...!........................... ..`.data....0..........................@....rsrc....".......$..................@..@.reloc..8 ...0..."..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\iconv.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):888832
                                                                                                                                                                                                          Entropy (8bit):7.332816074914905
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24576:Vf2VfWlcKu6Gavkg3NydIbbbI4IBAUZLY:ZuscKu6GaXUT4IBAUZLY
                                                                                                                                                                                                          MD5:73AF5773BF5627FE771BF6809EC839F9
                                                                                                                                                                                                          SHA1:69D9597991DD0D1C6B478174AAA85B0E8175D0A7
                                                                                                                                                                                                          SHA-256:6CD69191469BF13F0CEA70837BAC9B1E7871C116F5F6F18BEF5A6A9575C020C9
                                                                                                                                                                                                          SHA-512:64B631454D1D16709AE96CCA95E8E3DD6049841C53EF6C4643B1A5B28A32FE6BFACB86337E93B5F9F2ABF43D0233B094646B8065D3C1FAFEAAB7C3D6E371B864
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A... . . .(... ..(. ..(... . . ..(... .,... .,... .m+... .,... .Rich. .................PE..L...0.YD...........!................................................................................................0K.......I..<....`.......................p..........................................................P............................text............................... ..`.rdata..1|..........................@..@.data...X....P.......P..............@....rsrc........`.......`..............@..@.reloc..F....p... ...p..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\is-43SV4.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):986112
                                                                                                                                                                                                          Entropy (8bit):6.797825325058922
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:jgL7cjlDxmgi/Fxzbk9qHymaMdzRUIfZYQZOj5xCtxE0d77nPhy4aCGJf:UvchXvmaMdlUoZi5xCLP79qV
                                                                                                                                                                                                          MD5:8793F1C87B8729661C79E738C3294CDC
                                                                                                                                                                                                          SHA1:5DA2159F029AC01B6BDCF29534F3EBAF5EFDEF1C
                                                                                                                                                                                                          SHA-256:A916F107FA78273EE104DCF8F0729D237F2E60647A389E81DBE424201274E618
                                                                                                                                                                                                          SHA-512:3F228C822A1592083D321CFE5E75D284B740B9199CD2C57BA7E3582E4CB47BDBB103E61D7D70281C38979FAE9D749E542CF457640BAF9675DC01073076513E51
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@T..............G.......q.......!.......s.......s......./.u.....q.4.....r.......t.....Rich....................PE..L...=..L...........!................m........................................P.................................................x....................................................................................................................text...h........................... ..`.rdata..g...........................@..@.data...d............j..............@....reloc..n............z..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\is-7IV3V.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):986112
                                                                                                                                                                                                          Entropy (8bit):6.797825325058922
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:jgL7cjlDxmgi/Fxzbk9qHymaMdzRUIfZYQZOj5xCtxE0d77nPhy4aCGJf:UvchXvmaMdlUoZi5xCLP79qV
                                                                                                                                                                                                          MD5:8793F1C87B8729661C79E738C3294CDC
                                                                                                                                                                                                          SHA1:5DA2159F029AC01B6BDCF29534F3EBAF5EFDEF1C
                                                                                                                                                                                                          SHA-256:A916F107FA78273EE104DCF8F0729D237F2E60647A389E81DBE424201274E618
                                                                                                                                                                                                          SHA-512:3F228C822A1592083D321CFE5E75D284B740B9199CD2C57BA7E3582E4CB47BDBB103E61D7D70281C38979FAE9D749E542CF457640BAF9675DC01073076513E51
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@T..............G.......q.......!.......s.......s......./.u.....q.4.....r.......t.....Rich....................PE..L...=..L...........!................m........................................P.................................................x....................................................................................................................text...h........................... ..`.rdata..g...........................@..@.data...d............j..............@....reloc..n............z..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\is-7J1SR.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):77824
                                                                                                                                                                                                          Entropy (8bit):5.8489695835244095
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:bw6vENCUvhLcSCE/StC0KuFLRO5ZikoHBc1m7s4wixE+XwVY/nToIf18IOsIOIiy:bDvENBhA+WjPLAVY/nToIfCIOsIOIip
                                                                                                                                                                                                          MD5:72E87AD407BB28F5B471C3396296B377
                                                                                                                                                                                                          SHA1:15CD01170FF8D8531FB16F4F7A1C5FBE810A1057
                                                                                                                                                                                                          SHA-256:91EC6085E862E1EEDC254BF88EFECD4FA67F486216AB3B1473915D15462E71BB
                                                                                                                                                                                                          SHA-512:1569939514C0E30E2FBF7D81586ADA53931AC36B11F306B95B5E0741C6B32C45D88D33271223C99CD4FBD585F0675D5188557E5DFE6901F9FBB2E3E8EC98A698
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2.@.2.@.2.@.:.@.2.@.:.@.2.@.2.@.2.@.:.@.2.@.>.@.2.@.>.@.2.@`9.@.2.@.>.@.2.@Rich.2.@........................PE..L......L...........!................3.............LZ.........................0..................................................<............................ ......`...................................................H............................text............................... ..`.rdata...H.......P..................@..@.data...P...........................@....rsrc...............................@..@.reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\is-8US6A.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):72704
                                                                                                                                                                                                          Entropy (8bit):5.120663111013087
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:08OHRuSkCJ/fUHhO3YhnBtTmSOa+X4ZU9qZU9DrGIL:0REGJ/fUBOohLO34p5G
                                                                                                                                                                                                          MD5:E916105F7E59F8AD0F5B80B1E91D4F37
                                                                                                                                                                                                          SHA1:D4BC9CFDD22AC7FDB600BB3A67CA153C686C00DC
                                                                                                                                                                                                          SHA-256:BFF873FC93F1FDED5634C2771ED307F8D10AD0F08235F3B727A660A8DA1EEAE5
                                                                                                                                                                                                          SHA-512:B5176E542C2E9BFF51000A4A62C49330CF8AB21F02D13169C3982C850F22B3D1B3F5F8A916DFF5A0B0A78E43699E746ECB172A211CD32FF9AE2F9478DB3155CE
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.V...8...8...8..Q....8.......8..Q....8..Q....8..Q....8.j.....8.j.....8.......8.......8...9...8..Q....8.j.....8.j.....8.Rich..8.................PE..L...p..Y.................2...........7.......P....@..........................`.......&....@..................................Y...............................P......pR...............................U..@............P..0............................text....0.......2.................. ..`.rdata.......P.......6..............@..@.data........p.......N..............@....rsrc................P..............@..@.reloc..z....P......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\is-B1058.tmp

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):888832
                                                                                                                                                                                                          Entropy (8bit):7.332816074914905
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24576:Vf2VfWlcKu6Gavkg3NydIbbbI4IBAUZLY:ZuscKu6GaXUT4IBAUZLY
                                                                                                                                                                                                          MD5:73AF5773BF5627FE771BF6809EC839F9
                                                                                                                                                                                                          SHA1:69D9597991DD0D1C6B478174AAA85B0E8175D0A7
                                                                                                                                                                                                          SHA-256:6CD69191469BF13F0CEA70837BAC9B1E7871C116F5F6F18BEF5A6A9575C020C9
                                                                                                                                                                                                          SHA-512:64B631454D1D16709AE96CCA95E8E3DD6049841C53EF6C4643B1A5B28A32FE6BFACB86337E93B5F9F2ABF43D0233B094646B8065D3C1FAFEAAB7C3D6E371B864
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A... . . .(... ..(. ..(... . . ..(... .,... .,... .m+... .,... .Rich. .................PE..L...0.YD...........!................................................................................................0K.......I..<....`.......................p..........................................................P............................text............................... ..`.rdata..1|..........................@..@.data...X....P.......P..............@....rsrc........`.......`..............@..@.reloc..F....p... ...p..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\libxml2.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):986112
                                                                                                                                                                                                          Entropy (8bit):6.797825325058922
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12288:jgL7cjlDxmgi/Fxzbk9qHymaMdzRUIfZYQZOj5xCtxE0d77nPhy4aCGJf:UvchXvmaMdlUoZi5xCLP79qV
                                                                                                                                                                                                          MD5:8793F1C87B8729661C79E738C3294CDC
                                                                                                                                                                                                          SHA1:5DA2159F029AC01B6BDCF29534F3EBAF5EFDEF1C
                                                                                                                                                                                                          SHA-256:A916F107FA78273EE104DCF8F0729D237F2E60647A389E81DBE424201274E618
                                                                                                                                                                                                          SHA-512:3F228C822A1592083D321CFE5E75D284B740B9199CD2C57BA7E3582E4CB47BDBB103E61D7D70281C38979FAE9D749E542CF457640BAF9675DC01073076513E51
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.@T..............G.......q.......!.......s.......s......./.u.....q.4.....r.......t.....Rich....................PE..L...=..L...........!................m........................................P.................................................x....................................................................................................................text...h........................... ..`.rdata..g...........................@..@.data...d............j..............@....reloc..n............z..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):4342088
                                                                                                                                                                                                          Entropy (8bit):7.051728105290309
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:98304:BZP0PvxMJfTcXPSo0akd+BPSLC4IEy+XNy136jCfsqLhDIJJGN8mFLOAkGkzdnEe:BZP2iIE80qLrHFLOyomFHKnPAG
                                                                                                                                                                                                          MD5:07BCCDCC337D393D7DB0B2F8FE200B3F
                                                                                                                                                                                                          SHA1:5A02B227CB0A22A8E7884CD138C3E8568D083D94
                                                                                                                                                                                                          SHA-256:BF38DDA13B938B49A4DF72B6477342373EE6E151BE12C25CB0C17662FCB4BCD4
                                                                                                                                                                                                          SHA-512:E5637727A549CF7B88F13474097A71200F0DFA511ECD55C5A42E5F53E9F86CE8B7CE763448830FD073E232876F7537BAD96F2CED8D3159558778460264D07639
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................x.......g.....E.c.......e.......Q.......P......h.........,.....T.L.....`.......a.......f.....Rich....................PE..L......K.........."!.....B*..:......oA%......`*....x..........................B.....{.B...@......................... x)......>)......P+.H............*B.H....`?.8..../..................................@...............0....#)......................text...#A*......B*................. ..`.data...l....`*......F*.............@....rsrc...H....P+.......*.............@..@.reloc...P...`?..R....>.............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100chs.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):36176
                                                                                                                                                                                                          Entropy (8bit):5.5666055070859155
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:I5divsXPqptLkrHyTby9XVLwMi2jXHUIv:wi0XPqptLUHCbyBVL39rHUIv
                                                                                                                                                                                                          MD5:8BF73FAA44C897C1812F2DACF0EAAF8A
                                                                                                                                                                                                          SHA1:C9D4E010FC9069F44028AA54CF4AC3329CA2AB2F
                                                                                                                                                                                                          SHA-256:8D1E7FB72BCEB10215108D48FE4FA6AEA1F03636F56FC3BE5E6D5552C4094C46
                                                                                                                                                                                                          SHA-512:61C0609E0BEEC2985FE8FC7839C17463DA685D39221D648FAA8C7F088627A6C514A8FCFE71948ADF2D3F28B2AF78F8653FE5E4771D7C1AB000FC2F7463D09E8C
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!.........t....................6]......................................@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100cht.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):36176
                                                                                                                                                                                                          Entropy (8bit):5.622324615571566
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:SuufpTVI4pk7kn4TJVM3i/EhKTMi2jpvAx:+pTVI4pk4noVM3XhKg95Ax
                                                                                                                                                                                                          MD5:4AD997573259D5BBF211D9FB2BBA3DB0
                                                                                                                                                                                                          SHA1:C9A8BADE464A2AEDF823CE147529A74DA5416038
                                                                                                                                                                                                          SHA-256:90ADEFDCD57C9CE8C5E542FCBDA108860427E9334BD9BFE564AD5556683BC954
                                                                                                                                                                                                          SHA-512:4C630D8ED88DB6062561BCF379235E9CA113C1F9F5DD54A6A9088E5D31B38573B6C891376E76AF0BDEAE360F47D714F2DE8AD9632C7FECB1FC3FF0CA7FC6022B
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!.........t....................6].................................U....@..............................................r...........v..P............................................................................................rsrc....r.......t..................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100deu.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):64336
                                                                                                                                                                                                          Entropy (8bit):4.138154922872674
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:fVPidQr0OWqnn0BDhCPu6V4aGCWRZ+e0petNSaQhp0vcsjsr8gWt8C1dCuf9j95a:fVidQr0OWqnnShCPu6V4aGCWRZX0bhpv
                                                                                                                                                                                                          MD5:5F522204B79025F0D5870076111409F3
                                                                                                                                                                                                          SHA1:6A17C85B6C4B3F33F2B8D8755EA38D5B0C092168
                                                                                                                                                                                                          SHA-256:CE1FC625509D697A2CD174115A593158AD9EED5B97967E619421696FC01D381E
                                                                                                                                                                                                          SHA-512:405B8DEAB3E87618C0C1238585E0CA7C22E66984148568AF5915B2E908B6C07218774667839B67481661E14727FBF95061A78802E6154286C229170F42A0F1A0
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]......................................@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100enu.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):55120
                                                                                                                                                                                                          Entropy (8bit):4.197711698709668
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:EgIdijcuEhCgySa6B1CLPLNq5f/nWHBNheOU2fd5WMi2jpvm:3I0ifySa6B8PLNYf/nWHNTdv95m
                                                                                                                                                                                                          MD5:D21165B7DBCC968CD829C00608F5694E
                                                                                                                                                                                                          SHA1:E6882666F88572624AB77074CEAD86448A6CF641
                                                                                                                                                                                                          SHA-256:14C4069CD931E9CD3F519D321CE50E4E531C385403C124FFEE7CA7831B0ADB63
                                                                                                                                                                                                          SHA-512:A3F00761110214C1FFEE78A008A1E17C9969B12B2B3D33C655E47D9E3E6ED13AFAC000402C24F3C20878348C8970856098EC89ABF426D9F990F4C71309E73B62
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]................................P.....@.............................................0...............P............................................................................................rsrc...0...........................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100esn.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):63824
                                                                                                                                                                                                          Entropy (8bit):4.069449731249543
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:aYE0Kv+BU69x6rg/PKuCOCF3OKWRElJRZRIvpsMi2jXHU/kv2:LA+q69x68/PKuFm3OKWkRZRIp9rHUk2
                                                                                                                                                                                                          MD5:81C0790DBD237317E4BA2908F53E045A
                                                                                                                                                                                                          SHA1:70A077458CAD7E76B23F0FF77D6CFCB9F0FA4693
                                                                                                                                                                                                          SHA-256:DC5ABB34069E3E8E1451E36B44822DEF82B624F9811F825D417874202A4A242C
                                                                                                                                                                                                          SHA-512:47D4ABA0F7691FDA6E388646767C3D99C2781F21BF58A46399750DC780C160CBC1060B8923767CAE2546BDE58B6F631C6AC4583711E15F9460BCDE7637BD7D3A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]......................................@.............................................P...............P............................................................................................rsrc...P...........................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100fra.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):64336
                                                                                                                                                                                                          Entropy (8bit):4.118195590576372
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:kqth26iN6NjZELIaYImN8YxAaTafCp5eFQZmZUjyyyyyyyyyyyyyyyUGQFUbWo2J:FNPqLIaQA2SCHj0jt95Q
                                                                                                                                                                                                          MD5:BDB98792CE6C2654F14E1BF47263527B
                                                                                                                                                                                                          SHA1:60E946BF95ABAE671E9F88CE5AE7ADA6D2CA0B5C
                                                                                                                                                                                                          SHA-256:6AB663A7C7A648DDDB428ACDBC8CBC91C66C93A52323DF1A519BFEAEA9A4F6EC
                                                                                                                                                                                                          SHA-512:3747B0CC87D20FA0D0F8FACB43AE917FDB174665B4363FAC2943787ABE4C645D36C73B40327FBA33F87F0C8C65CB33375F9E91A3A75D7EDD791AFB89F17E9FE1
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6].................................;....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100ita.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):62288
                                                                                                                                                                                                          Entropy (8bit):4.093367290099013
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:K6E6XaEYyqbK15MEBigDGxNIlW3gyCQQQjeqS1hDsiiUWTVqMi2jXHUd:naEOs5MEBigSxNIlW37oETb9rHUd
                                                                                                                                                                                                          MD5:3301A48EC56740776326760858936BCD
                                                                                                                                                                                                          SHA1:BDDC636C935A4C965FF6A4723EC754CFA09DA8C6
                                                                                                                                                                                                          SHA-256:7E36BA0E433F5478B1F405388870533EE2B631A4BEE992EB6C5708797A8E0B25
                                                                                                                                                                                                          SHA-512:E23604EB225435D941BB57D93AABCD9F4652CC6A1BEC4579064A0C9FD794D5A64B959A98ED8636EF127F37C7671C36BF27C13EBD1309968D43EBBA7117D49072
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]................................=.....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100jpn.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):43856
                                                                                                                                                                                                          Entropy (8bit):5.449702782814297
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:dsTbayVn/IatJxtr10/euKRHIWIMi2jXHUh:GTeyp/Is/uMl9rHUh
                                                                                                                                                                                                          MD5:6A7F31C6FAFEA0EF7F17A9B17B247254
                                                                                                                                                                                                          SHA1:78C3614453D4FB5F96BD21B7CE66E9D5C8C22FCC
                                                                                                                                                                                                          SHA-256:93CCF853A22AD5C9A3BC9F0D87FAB3E356C728332E5968E38B3751C03179B06A
                                                                                                                                                                                                          SHA-512:CC6332E4406D5109CF1522BDA36C1C05B83542ADBF180D88286F08F3E5F260A84A20898B2539E9BAECC6D86EED503EB9ED05AEC2B26672C044EF9A0FB8F12E7D
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6]................................m.....@.............................................X...............P............................................................................................rsrc...X...........................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100kor.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):43344
                                                                                                                                                                                                          Entropy (8bit):5.551158148566457
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:fVz754LQTN3kraHniJNB2I7CvquMi2jXHUPc:151TN3VniJv2I7CvqZ9rHUPc
                                                                                                                                                                                                          MD5:B5A093F44E7E5C618A7698839DF6583C
                                                                                                                                                                                                          SHA1:F4707CF3D4CBE81E9A680B74C201C386ECA8649E
                                                                                                                                                                                                          SHA-256:C3DC021011FE766D54927F6865936B3B9473E5BC38BB1BBACB94A0C739C4A16D
                                                                                                                                                                                                          SHA-512:937DA004BB71A4B764CEB284D2760E71247F47A6D4D2EAA594A4269C2F5E2A2701DCA91493248D3E6BD08A6AE0C9C3A0342C1B1B8DE180010159E129A2FB0004
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6].................................s....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100rus.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):60752
                                                                                                                                                                                                          Entropy (8bit):4.6896553999495465
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:yURq/lFXOv/iuqN9TMIVhtZ3FckD+SyMi2jpv2l:MDXOv/ahTVV952l
                                                                                                                                                                                                          MD5:6D163D436251978D14E4C80F33385D76
                                                                                                                                                                                                          SHA1:CC1957B2D9ADEBC1946CAF3E8DCA08623E43842F
                                                                                                                                                                                                          SHA-256:8597AFF5549E1F14805F288CE69C0DCE270ED0C1D6515A4C923004F0D753240C
                                                                                                                                                                                                          SHA-512:0CD9DEF6C62180CF7D90EED35D6FAB73DDFABA91C0642111EB592896FDB50EC4E1CEEA21F298F10AA6290AFEA208B961C979F075FCFAD169674965E0E01F5995
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l...............{%......{".....Rich............PE..L......K.........."!..............................6].................................m....@.............................................................P............................................................................................rsrc...............................@..@....................................................................8.......P.......8....... .......8....................>..P....................>..h....>.......?.......?.......?.......?.......?.......?.......?..(....A..@....B..X... B..p...AB......BB......CB......VB......lB.......B.......B.......B..0....x..H....x..`....x..x....x.......~.......~.......~....................;..................... .......8.......P.......h...........!.......(.......).......*.......,.......-...........(.......@.......X.......p...........................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfc100u.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):4368720
                                                                                                                                                                                                          Entropy (8bit):7.026244983352001
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:98304:zge9f+eJ5LbHVlaHqQ1NaXJw9QxCqk23i3ggGe9SfcoLDPiHkKos7FLOAkGkzdnR:zxf5cBudLps7FLOyomFHKnPAw
                                                                                                                                                                                                          MD5:F841F32AD816DBF130F10D86FAB99B1A
                                                                                                                                                                                                          SHA1:0F8B90814B33275CF39F95E769927497DA9460BF
                                                                                                                                                                                                          SHA-256:7A4CFBCE1EB48D4F8988212C2E338D7781B9894EF0F525E871C22BB730A74F3E
                                                                                                                                                                                                          SHA-512:6222F16722A61EE6950B6FBCBE46C2B08E2394CE3DD32D34656FAF2719E190E66B4E59617C83F117AD3793B1292A107F275087B037CF1B6E4D9819323748079A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................x.......g.....E.c.......e.......Q.......P......h.........?.....T.L.....`.......a.......f.....Rich............PE..L......K.........."!......*..>......=.%.......*..._x......................... C.......C...@.........................`.).`...t.).......+.H.............B.P.....?.0... /...............................>..@...................h.)......................text.....*.......*................. ..`.data.........*.......*.............@....rsrc...H.....+......<+.............@..@.reloc...R....?..T...>?.............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfcm100.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):80208
                                                                                                                                                                                                          Entropy (8bit):6.173505901056785
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:KKfLgly77rSxB8p/KGefmLQBY3pROBCrU95:KYg877rwB8p/KGefmLJ3pROBCrU95
                                                                                                                                                                                                          MD5:09FF12BAE0EB3E6E688609095390D34B
                                                                                                                                                                                                          SHA1:49511F73B54E8F702C7EA769331558B8705DFEC3
                                                                                                                                                                                                          SHA-256:0FEF52F0378B75600B828172377DEA92F8CE4F9CB2E0DCEE5D96300EA6D102DD
                                                                                                                                                                                                          SHA-512:D7EA7B78CE34E5DFC3EBFA2268C8349469854D02DC4C3423D517DD3B74FFD283409EEB275676F68F6DDC514D8D05EBD44125EA630064493D10AEFA4749974EBC
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`..C..C..C..JyO.A..]S_.A..,wP.F...OT.B..,wR.B..,wf.O..Jy_.G..C.....,wg.V..,wW.B..,wV.B..,wQ.B..RichC..........................PE..L......K.........."!.....B...*......PN.......`.....x......................................@......................... +.......$..x...................."..P............b.............................. n..@............`...............b..H............text....@.......B.................. ..`.rdata.......`.......F..............@..@.data....P...0......................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\mfcm100u.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):80720
                                                                                                                                                                                                          Entropy (8bit):6.164375554936668
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:+iH8I62fuAyjBi28NaHmOKGefmLQBw93OBOQky9rHUWe:+jI62fxKT8NaHhKGefmLH93OBOQky9o1
                                                                                                                                                                                                          MD5:9BF0CB63876BA82B8178EC733F6510C7
                                                                                                                                                                                                          SHA1:BBC2580DA25AE39655D6A042761F8A753A9F127F
                                                                                                                                                                                                          SHA-256:D9A7C9ECF9C022B2FBFE1EFEEA5215A7CAA2BF95674FA88DD5E35AFDB310E80A
                                                                                                                                                                                                          SHA-512:D61D38530D40201AB6934CF256728D24E597065FAE12A77B36103B5CE3BD19B342B436BF54C56949F11B957C4F93795E059EE4784EFD213C22E9E6FB072E24A5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`..C..C..C..JyO.A..]S_.A..,wP.F...OT.B..,wR.B..,wf.O..Jy_.G..C.....,wg.V..,wW.B..,wV.B..,wQ.B..RichC..........................PE..L......K.........."!.....B...D......PN.......`.....x................................h"....@..........................+......T%..x....................$..P............b..............................0n..@............`...............b..H............text....@.......B.................. ..`.rdata.......`.......F..............@..@.data...<h...0......................@....rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\vcomp100.dll

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):51024
                                                                                                                                                                                                          Entropy (8bit):6.5875642480554895
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:1536:NEYT1tiIlhnRlp+nbBjzzLSXI/Je9rHU6k:BYIl7lp+nbdz4I/U9oH
                                                                                                                                                                                                          MD5:631945C6518533A9FADAAA8E98F4AB5B
                                                                                                                                                                                                          SHA1:34B856EBDDA19B5AB96ED77FB5FB82A00CFE023A
                                                                                                                                                                                                          SHA-256:2011268947625670A758382E811C71B597B615F1763F8D30A5195B80DA4644FC
                                                                                                                                                                                                          SHA-512:1CBBC26787AEADE276B30582124B7C457F352754BDDF72A709E90EA884F09CC1327EBBA3087ECB3224762438F669F860C640B18B1863995955E429B3ED894372
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\}...........wjQ....wje.....d\.......'..wj`....wjT....wjU....wjR....Rich...........PE..L......K.........."!................#X.............r................................".....@.................................t...<.......................P.......\.......................................@............................................text............................... ..`.data...............................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\SysWOW64\zlib1.dll (copy)

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):77824
                                                                                                                                                                                                          Entropy (8bit):5.8489695835244095
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:768:bw6vENCUvhLcSCE/StC0KuFLRO5ZikoHBc1m7s4wixE+XwVY/nToIf18IOsIOIiy:bDvENBhA+WjPLAVY/nToIfCIOsIOIip
                                                                                                                                                                                                          MD5:72E87AD407BB28F5B471C3396296B377
                                                                                                                                                                                                          SHA1:15CD01170FF8D8531FB16F4F7A1C5FBE810A1057
                                                                                                                                                                                                          SHA-256:91EC6085E862E1EEDC254BF88EFECD4FA67F486216AB3B1473915D15462E71BB
                                                                                                                                                                                                          SHA-512:1569939514C0E30E2FBF7D81586ADA53931AC36B11F306B95B5E0741C6B32C45D88D33271223C99CD4FBD585F0675D5188557E5DFE6901F9FBB2E3E8EC98A698
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S...2.@.2.@.2.@.:.@.2.@.:.@.2.@.2.@.2.@.:.@.2.@.>.@.2.@.>.@.2.@`9.@.2.@.>.@.2.@Rich.2.@........................PE..L......L...........!................3.............LZ.........................0..................................................<............................ ......`...................................................H............................text............................... ..`.rdata...H.......P..................@..@.data...P...........................@....rsrc...............................@..@.reloc....... ....... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DF2CA02DD08E810E93.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                          Entropy (8bit):1.2839347872328748
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:tGMPukO+CFXJLT5MNlt4SyedCVEJlQuSbedCcb6QWZfQBj:lPazTeN34/nVAXWnLQWZoB
                                                                                                                                                                                                          MD5:CB13AECDE80B76C314538F128F9AA420
                                                                                                                                                                                                          SHA1:FE24A8A6C49A463A7A528AEE8331CC523FBE6486
                                                                                                                                                                                                          SHA-256:11F50CF7880DC91C777C2458491BF1BBCBD75488CB56D9AC0CF4C945F1DE295D
                                                                                                                                                                                                          SHA-512:01AEAFD33773E4826106DE51E98877341D086238B2F233B9DAC2365898C21E430A00E180114BE6B6A7FA5459882EF530B7C4F539D647C18D07739F382411CD01
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DF33EC974D6B3FB0FB.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DF36749863E3C6D941.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                          Entropy (8bit):1.2839347872328748
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:tGMPukO+CFXJLT5MNlt4SyedCVEJlQuSbedCcb6QWZfQBj:lPazTeN34/nVAXWnLQWZoB
                                                                                                                                                                                                          MD5:CB13AECDE80B76C314538F128F9AA420
                                                                                                                                                                                                          SHA1:FE24A8A6C49A463A7A528AEE8331CC523FBE6486
                                                                                                                                                                                                          SHA-256:11F50CF7880DC91C777C2458491BF1BBCBD75488CB56D9AC0CF4C945F1DE295D
                                                                                                                                                                                                          SHA-512:01AEAFD33773E4826106DE51E98877341D086238B2F233B9DAC2365898C21E430A00E180114BE6B6A7FA5459882EF530B7C4F539D647C18D07739F382411CD01
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DF40633A169EA867AB.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                          Entropy (8bit):1.2839347872328748
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:tGMPukO+CFXJLT5MNlt4SyedCVEJlQuSbedCcb6QWZfQBj:lPazTeN34/nVAXWnLQWZoB
                                                                                                                                                                                                          MD5:CB13AECDE80B76C314538F128F9AA420
                                                                                                                                                                                                          SHA1:FE24A8A6C49A463A7A528AEE8331CC523FBE6486
                                                                                                                                                                                                          SHA-256:11F50CF7880DC91C777C2458491BF1BBCBD75488CB56D9AC0CF4C945F1DE295D
                                                                                                                                                                                                          SHA-512:01AEAFD33773E4826106DE51E98877341D086238B2F233B9DAC2365898C21E430A00E180114BE6B6A7FA5459882EF530B7C4F539D647C18D07739F382411CD01
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DF41FD98322CF61594.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                          Entropy (8bit):1.607334527089845
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:j8PhXuRc06WXJaFT5DNlt4SyedCVEJlQuSbedCcb6QWZfQBj:KhX1RFTNN34/nVAXWnLQWZoB
                                                                                                                                                                                                          MD5:A214D2C7AA9A869855CCA41B01407582
                                                                                                                                                                                                          SHA1:E12D0F31EB3BDA3008A1C822FC01E467BB067AC7
                                                                                                                                                                                                          SHA-256:B5EF2E2577020B983FBC6A9DF97557DBC483F339063ECF31C987FCA6C3DC5CE1
                                                                                                                                                                                                          SHA-512:2E4948F2B22C6E6D4EA08EA7A8E48EF03C3B2A6C10BC6D8AFEA8B51A923935F655010BFABA8587ED51D8015174E1CEEEC0C0A7ABFF2AA4750F4BB027137DF4B9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DF5524A3C7E8619B9E.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DF85410C2C14804A76.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                          Entropy (8bit):0.3364159434289711
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:12:oBWxx0i8n0itFzDHFVa+7EpPeJMVvh/J09RSdIpHMsULzkQDTrWQDTrWB9CrclWS:vxOF0ml/poJegvZRdsH6DxDD
                                                                                                                                                                                                          MD5:597116FD1A30D7512E5BBBE0FB943CBA
                                                                                                                                                                                                          SHA1:C595A0C8390069463DF1E05AF16B4676E245CAFA
                                                                                                                                                                                                          SHA-256:9579E3B1C16ADCCBE22F7E80F96245FB00939C15BAE5E32390580E588DC8DD28
                                                                                                                                                                                                          SHA-512:1992613B1DBB8867F19CA5F2E9380CB8A6D554B417A4E3874A2D9C981B3932992A51140891C53E6ED10F5737346A467A11DB8992DB3D7935E48F2ADEC5340AB5
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DF905F642754DA4122.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DFA78B34B5329C1141.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DFAB55A76AED171442.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                          Entropy (8bit):1.607334527089845
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:48:j8PhXuRc06WXJaFT5DNlt4SyedCVEJlQuSbedCcb6QWZfQBj:KhX1RFTNN34/nVAXWnLQWZoB
                                                                                                                                                                                                          MD5:A214D2C7AA9A869855CCA41B01407582
                                                                                                                                                                                                          SHA1:E12D0F31EB3BDA3008A1C822FC01E467BB067AC7
                                                                                                                                                                                                          SHA-256:B5EF2E2577020B983FBC6A9DF97557DBC483F339063ECF31C987FCA6C3DC5CE1
                                                                                                                                                                                                          SHA-512:2E4948F2B22C6E6D4EA08EA7A8E48EF03C3B2A6C10BC6D8AFEA8B51A923935F655010BFABA8587ED51D8015174E1CEEEC0C0A7ABFF2AA4750F4BB027137DF4B9
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DFE485838C0B01AECE.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\Windows\Temp\~DFE83B5C1E1101FCE8.TMP

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):73728
                                                                                                                                                                                                          Entropy (8bit):0.15106038840696284
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:24:PBjfRZfdb6QoipV5QG+RdCaipVkQG+RdCIwEVKWl//gNlG3w+DWl/0t1:PBj5Zfdb6QoSbedCaSyedCVEJlQJllq
                                                                                                                                                                                                          MD5:B07A2FD654736025E6C9C833D415FA2A
                                                                                                                                                                                                          SHA1:309CF389326ED604BE12DB5BB7DD2B57FC7B4ECB
                                                                                                                                                                                                          SHA-256:FDEBE3D09719B41972FB5D737488504FB8654B9E0325D72D7731DF547759EE29
                                                                                                                                                                                                          SHA-512:211575C2E17ED0AC36379235F2C776E4A735FC16804C5DAD285B613837E653395F619A58C1B437B1B4CF16FA6C7726A3DA8DB06E921E4C763AD6487F07991A70
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          \Device\ConDrv

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exe
                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):19
                                                                                                                                                                                                          Entropy (8bit):3.5110854081804286
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:RoHQGQB5:RZGU5
                                                                                                                                                                                                          MD5:E3AC0178A28CF8E44D82A62FAE2290D7
                                                                                                                                                                                                          SHA1:C0F1C66E831ADD5EA81B19BFA0E85D1D2CA192BA
                                                                                                                                                                                                          SHA-256:2C61108AC0158F555B0632F5658D79D502B0929F2090848A7DEB77158667D43C
                                                                                                                                                                                                          SHA-512:F7C2290526630DEF784459621007F389D720034D3BCE1EFF9B761C7A959061FDB465B9D239290EB543E7B0CFB41682361D0400459621F8756A8A09782F33693A
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Preview:CertMgr Succeeded..

                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Entropy (8bit):7.997566234375059
                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                                                                                                                                                          • Inno Setup installer (109748/4) 1.08%
                                                                                                                                                                                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                          File name:WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
                                                                                                                                                                                                          File size:41'523'552 bytes
                                                                                                                                                                                                          MD5:c20f986ed82e351e90b8a8140ccbf8e9
                                                                                                                                                                                                          SHA1:9b62da430088fb0a73deaa8fb99ca7df89ffc0b2
                                                                                                                                                                                                          SHA256:d8475f7c55ff4a9e40c2593b477d2bed7d7c3e8f79ef3eed64a61794b328f130
                                                                                                                                                                                                          SHA512:49c491a3b7c7c1fbbb261e56970bff9db03956f3473c0cf7852287f4a209b92021e72a3e35974d840090d7c0c589b140fc006fc836b3d24f087b48c14c877a26
                                                                                                                                                                                                          SSDEEP:786432:RVXAo87HPSrQgT+Kykoo1AMLOf6HxyDoOi/JUBTKtF41Zfh2+4Bp5V1y:hCHqrQD+oSYSHS7i/yBGtF8g5V1y
                                                                                                                                                                                                          TLSH:6197337BB265253EC09E163244739A10A8BBA7A1755BCC2E5BF04B4DCF798310F3B259
                                                                                                                                                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                          Icon Hash:a8545a58561232cd

                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Entrypoint:0x4b5eec
                                                                                                                                                                                                          Entrypoint Section:.itext
                                                                                                                                                                                                          Digitally signed:true
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                          Time Stamp:0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                          OS Version Major:6
                                                                                                                                                                                                          OS Version Minor:1
                                                                                                                                                                                                          File Version Major:6
                                                                                                                                                                                                          File Version Minor:1
                                                                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                                                                          Subsystem Version Minor:1
                                                                                                                                                                                                          Import Hash:5a594319a0d69dbc452e748bcf05892e

                                                                                                                                                                                                          Authenticode Signature

                                                                                                                                                                                                          Signature Valid:true
                                                                                                                                                                                                          Signature Issuer:CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                                                                                                                                                          Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                          Error Number:0
                                                                                                                                                                                                          Not Before, Not After
                                                                                                                                                                                                          • 09/07/2021 20:36:32 09/10/2024 20:36:32
                                                                                                                                                                                                          Subject Chain
                                                                                                                                                                                                          • CN=Deluxe Corporation, OU=Deluxe Corporation, O=Deluxe Corporation, L=Shoreview, S=Minnesota, C=US
                                                                                                                                                                                                          Version:3
                                                                                                                                                                                                          Thumbprint MD5:5ECB230EA62F6310DA00D39156E7E87F
                                                                                                                                                                                                          Thumbprint SHA-1:F1D7BFF5EC16EA44FE89983F1B04092CED35C8F2
                                                                                                                                                                                                          Thumbprint SHA-256:3397A9A9A8E7E4B706E20ED8FF303ADA2A711DBC6B3FF84B9F3B5DCDF1613321
                                                                                                                                                                                                          Serial:2A92FB53E470AC968584EF08

                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                          push ebp
                                                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                                                          add esp, FFFFFFA4h
                                                                                                                                                                                                          push ebx
                                                                                                                                                                                                          push esi
                                                                                                                                                                                                          push edi
                                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                                          mov dword ptr [ebp-3Ch], eax
                                                                                                                                                                                                          mov dword ptr [ebp-40h], eax
                                                                                                                                                                                                          mov dword ptr [ebp-5Ch], eax
                                                                                                                                                                                                          mov dword ptr [ebp-30h], eax
                                                                                                                                                                                                          mov dword ptr [ebp-38h], eax
                                                                                                                                                                                                          mov dword ptr [ebp-34h], eax
                                                                                                                                                                                                          mov dword ptr [ebp-2Ch], eax
                                                                                                                                                                                                          mov dword ptr [ebp-28h], eax
                                                                                                                                                                                                          mov dword ptr [ebp-14h], eax
                                                                                                                                                                                                          mov eax, 004B10F0h
                                                                                                                                                                                                          call 00007FD9490CE745h
                                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                                          push ebp
                                                                                                                                                                                                          push 004B65E2h
                                                                                                                                                                                                          push dword ptr fs:[eax]
                                                                                                                                                                                                          mov dword ptr fs:[eax], esp
                                                                                                                                                                                                          xor edx, edx
                                                                                                                                                                                                          push ebp
                                                                                                                                                                                                          push 004B659Eh
                                                                                                                                                                                                          push dword ptr fs:[edx]
                                                                                                                                                                                                          mov dword ptr fs:[edx], esp
                                                                                                                                                                                                          mov eax, dword ptr [004BE634h]
                                                                                                                                                                                                          call 00007FD949170E6Fh
                                                                                                                                                                                                          call 00007FD9491709C2h
                                                                                                                                                                                                          lea edx, dword ptr [ebp-14h]
                                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                                          call 00007FD9490E41B8h
                                                                                                                                                                                                          mov edx, dword ptr [ebp-14h]
                                                                                                                                                                                                          mov eax, 004C1D84h
                                                                                                                                                                                                          call 00007FD9490C9337h
                                                                                                                                                                                                          push 00000002h
                                                                                                                                                                                                          push 00000000h
                                                                                                                                                                                                          push 00000001h
                                                                                                                                                                                                          mov ecx, dword ptr [004C1D84h]
                                                                                                                                                                                                          mov dl, 01h
                                                                                                                                                                                                          mov eax, dword ptr [004237A4h]
                                                                                                                                                                                                          call 00007FD9490E521Fh
                                                                                                                                                                                                          mov dword ptr [004C1D88h], eax
                                                                                                                                                                                                          xor edx, edx
                                                                                                                                                                                                          push ebp
                                                                                                                                                                                                          push 004B654Ah
                                                                                                                                                                                                          push dword ptr fs:[edx]
                                                                                                                                                                                                          mov dword ptr fs:[edx], esp
                                                                                                                                                                                                          call 00007FD949170EF7h
                                                                                                                                                                                                          mov dword ptr [004C1D90h], eax
                                                                                                                                                                                                          mov eax, dword ptr [004C1D90h]
                                                                                                                                                                                                          cmp dword ptr [eax+0Ch], 01h
                                                                                                                                                                                                          jne 00007FD9491774DAh
                                                                                                                                                                                                          mov eax, dword ptr [004C1D90h]
                                                                                                                                                                                                          mov edx, 00000028h
                                                                                                                                                                                                          call 00007FD9490E5B14h
                                                                                                                                                                                                          mov edx, dword ptr [004C1D90h]

                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xf36.idata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x6588.rsrc
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x2796da00x2bc0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0xc22e40x244.idata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                          Sections

                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                          .text0x10000xb361c0xb3800ad6e46e3a3acdb533eb6a077f6d065afFalse0.3448639341051532data6.356058204328091IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .itext0xb50000x16880x1800d40fc822339d01f2abcc5493ac101c94False0.544921875data5.972750055221053IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .data0xb70000x37a40x38004c195d5591f6d61265df08a3733de3a2False0.36097935267857145data5.044400562007734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                          .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                          .idata0xc20000xf360x1000a73d686f1e8b9bb06ec767721135e397False0.3681640625data4.8987046479600425IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                          .didata0xc30000x1a40x20041b8ce23dd243d14beebc71771885c89False0.345703125data2.7563628682496506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                          .edata0xc40000x9a0x20037c1a5c63717831863e018c0f51dabb7False0.2578125data1.8722228665884297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                          .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .rsrc0xc70000x65880x660064b57db47ddf02799c92b942d5c848fcFalse0.2545955882352941data4.338006249498075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                          Resources

                                                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                          RT_ICON0xc74380x3228Device independent bitmap graphic, 64 x 128 x 24, image size 12288EnglishUnited States0.18489096573208721
                                                                                                                                                                                                          RT_STRING0xca6600x360data0.34375
                                                                                                                                                                                                          RT_STRING0xca9c00x260data0.3256578947368421
                                                                                                                                                                                                          RT_STRING0xcac200x45cdata0.4068100358422939
                                                                                                                                                                                                          RT_STRING0xcb07c0x40cdata0.3754826254826255
                                                                                                                                                                                                          RT_STRING0xcb4880x2d4data0.39226519337016574
                                                                                                                                                                                                          RT_STRING0xcb75c0xb8data0.6467391304347826
                                                                                                                                                                                                          RT_STRING0xcb8140x9cdata0.6410256410256411
                                                                                                                                                                                                          RT_STRING0xcb8b00x374data0.4230769230769231
                                                                                                                                                                                                          RT_STRING0xcbc240x398data0.3358695652173913
                                                                                                                                                                                                          RT_STRING0xcbfbc0x368data0.3795871559633027
                                                                                                                                                                                                          RT_STRING0xcc3240x2a4data0.4275147928994083
                                                                                                                                                                                                          RT_RCDATA0xcc5c80x10data1.5
                                                                                                                                                                                                          RT_RCDATA0xcc5d80x2c4data0.6384180790960452
                                                                                                                                                                                                          RT_RCDATA0xcc89c0x2cdata1.2045454545454546
                                                                                                                                                                                                          RT_GROUP_ICON0xcc8c80x14dataEnglishUnited States1.15
                                                                                                                                                                                                          RT_VERSION0xcc8dc0x584dataEnglishUnited States0.2762039660056657
                                                                                                                                                                                                          RT_MANIFEST0xcce600x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4005464480874317

                                                                                                                                                                                                          Imports

                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                          kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                                                                                                                          comctl32.dllInitCommonControls
                                                                                                                                                                                                          version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                                                                                                                                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                                                                                                                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                                                                                                                          netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                                                                                                                                                          advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                                                                                                                                                                                          Exports

                                                                                                                                                                                                          NameOrdinalAddress
                                                                                                                                                                                                          TMethodImplementationIntercept30x454060
                                                                                                                                                                                                          __dbk_fcall_wrapper20x40d0a0
                                                                                                                                                                                                          dbkFCallWrapperAddr10x4be63c

                                                                                                                                                                                                          Possible Origin

                                                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                          EnglishUnited States

                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                          2024-10-31T19:22:58.229024+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.449733TCP
                                                                                                                                                                                                          2024-10-31T19:23:38.277211+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.449755TCP

                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Oct 31, 2024 19:23:48.113135099 CET5696653192.168.2.41.1.1.1
                                                                                                                                                                                                          Oct 31, 2024 19:23:48.121131897 CET53569661.1.1.1192.168.2.4

                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                          Oct 31, 2024 19:23:48.113135099 CET192.168.2.41.1.1.10x3e3Standard query (0)209.183.8.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                          Oct 31, 2024 19:23:48.121131897 CET1.1.1.1192.168.2.40x3e3Name error (3)209.183.8.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                          Start time:14:22:38
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE"
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          File size:41'523'552 bytes
                                                                                                                                                                                                          MD5 hash:C20F986ED82E351E90B8A8140CCBF8E9
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                                          Start time:14:22:38
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-646K4.tmp\WIN_SCM_RDM_INSTALL_4.0.4.0.tmp" /SL5="$2043E,40682831,788480,C:\Users\user\Desktop\WIN_SCM_RDM_INSTALL_4.0.4.0.EXE"
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          File size:3'131'328 bytes
                                                                                                                                                                                                          MD5 hash:C2B12368174C2843B050C1000CD7A7F3
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                          Start time:14:22:46
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_Install_4.0.4.0.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          File size:21'344'240 bytes
                                                                                                                                                                                                          MD5 hash:FAC28B29942B43B885400CCBCBC47C06
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                          Start time:14:22:47
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-17H0B.tmp\WIN_DA_INSTALL_4.0.4.0.tmp" /SL5="$40272,20499878,788480,C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_DA_INSTALL_4.0.4.0.exe" /VERYSILENT /NORESTART
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          File size:3'131'328 bytes
                                                                                                                                                                                                          MD5 hash:895924B96B8B7BC52781E921E0AB93B8
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 2%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                          Start time:14:22:47
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Windows\system32\net.exe" stop RDMAppweb
                                                                                                                                                                                                          Imagebase:0x490000
                                                                                                                                                                                                          File size:47'104 bytes
                                                                                                                                                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                          Start time:14:22:47
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:6
                                                                                                                                                                                                          Start time:14:22:47
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:C:\Windows\system32\net1 stop RDMAppweb
                                                                                                                                                                                                          Imagebase:0x920000
                                                                                                                                                                                                          File size:139'776 bytes
                                                                                                                                                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                                          Start time:14:22:49
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"
                                                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                          Start time:14:22:49
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                          Start time:14:22:49
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:tasklist
                                                                                                                                                                                                          Imagebase:0xbe0000
                                                                                                                                                                                                          File size:79'360 bytes
                                                                                                                                                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                          Start time:14:22:49
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"
                                                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                          Start time:14:22:49
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                          Start time:14:22:49
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:tasklist
                                                                                                                                                                                                          Imagebase:0xbe0000
                                                                                                                                                                                                          File size:79'360 bytes
                                                                                                                                                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:13
                                                                                                                                                                                                          Start time:14:22:51
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          File size:6'585'704 bytes
                                                                                                                                                                                                          MD5 hash:8DFECDDDB51D01D40B8FC278AE3C555C
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                          Start time:14:22:51
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-4NTEP.tmp\rdmappweb-4.6.0-ms-windows-x86.tmp" /SL5="$104F4,6322833,66048,C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\rdmappweb-4.6.0-ms-windows-x86.exe" /VERYSILENT
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:721'920 bytes
                                                                                                                                                                                                          MD5 hash:62B4483DC79B5846006C0C644B51FE6C
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 2%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                                          Start time:14:22:53
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" uninstall
                                                                                                                                                                                                          Imagebase:0x700000
                                                                                                                                                                                                          File size:16'896 bytes
                                                                                                                                                                                                          MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:16
                                                                                                                                                                                                          Start time:14:22:53
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" install enable
                                                                                                                                                                                                          Imagebase:0x700000
                                                                                                                                                                                                          File size:16'896 bytes
                                                                                                                                                                                                          MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                          Start time:14:22:54
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb/bin/rdmappman.exe" start
                                                                                                                                                                                                          Imagebase:0x700000
                                                                                                                                                                                                          File size:16'896 bytes
                                                                                                                                                                                                          MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                                          Start time:14:22:54
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe"
                                                                                                                                                                                                          Imagebase:0x700000
                                                                                                                                                                                                          File size:16'896 bytes
                                                                                                                                                                                                          MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                                          Start time:14:22:54
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
                                                                                                                                                                                                          Imagebase:0x740000
                                                                                                                                                                                                          File size:12'288 bytes
                                                                                                                                                                                                          MD5 hash:BA232235CDE212CF4900B84C7BF1CC0E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:21
                                                                                                                                                                                                          Start time:14:22:54
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:22
                                                                                                                                                                                                          Start time:14:22:55
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Windows\system32\net.exe" stop RDMAppweb
                                                                                                                                                                                                          Imagebase:0x490000
                                                                                                                                                                                                          File size:47'104 bytes
                                                                                                                                                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:23
                                                                                                                                                                                                          Start time:14:22:55
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:24
                                                                                                                                                                                                          Start time:14:22:56
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:C:\Windows\system32\net1 stop RDMAppweb
                                                                                                                                                                                                          Imagebase:0x920000
                                                                                                                                                                                                          File size:139'776 bytes
                                                                                                                                                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:27
                                                                                                                                                                                                          Start time:14:22:57
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"
                                                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:28
                                                                                                                                                                                                          Start time:14:22:57
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:29
                                                                                                                                                                                                          Start time:14:22:57
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:tasklist
                                                                                                                                                                                                          Imagebase:0xbe0000
                                                                                                                                                                                                          File size:79'360 bytes
                                                                                                                                                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:30
                                                                                                                                                                                                          Start time:14:22:59
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\vcredist_x86.exe" /q
                                                                                                                                                                                                          Imagebase:0x1000000
                                                                                                                                                                                                          File size:5'073'240 bytes
                                                                                                                                                                                                          MD5 hash:B88228D5FEF4B6DC019D69D4471F23EC
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:31
                                                                                                                                                                                                          Start time:14:23:01
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\8ae2907c08a3ced0022a08\Setup.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:c:\8ae2907c08a3ced0022a08\Setup.exe /q
                                                                                                                                                                                                          Imagebase:0xb30000
                                                                                                                                                                                                          File size:78'152 bytes
                                                                                                                                                                                                          MD5 hash:006F8A615020A4A17F5E63801485DF46
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:32
                                                                                                                                                                                                          Start time:14:23:07
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                          Imagebase:0x7ff77d310000
                                                                                                                                                                                                          File size:69'632 bytes
                                                                                                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:33
                                                                                                                                                                                                          Start time:14:23:12
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          File size:6'482'264 bytes
                                                                                                                                                                                                          MD5 hash:DBC54A8343ACC3271098DD7F2E5B7345
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:34
                                                                                                                                                                                                          Start time:14:23:12
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-QQO02.tmp\RDM_ROOT_CERTIFICATE.tmp" /SL5="$40508,6221732,66048,C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\RDM_ROOT_CERTIFICATE.exe" /VERYSILENT /NORESTART
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          File size:729'280 bytes
                                                                                                                                                                                                          MD5 hash:3E828ACD7AFDC653C0E0CA4F00A876C6
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:35
                                                                                                                                                                                                          Start time:14:23:13
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certmgr.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/CertMgr.exe" -add -all -c rdmroot.pem -s -r localmachine Root
                                                                                                                                                                                                          Imagebase:0x1000000
                                                                                                                                                                                                          File size:59'664 bytes
                                                                                                                                                                                                          MD5 hash:5D077A0CDD077C014EEDB768FEB249BA
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:36
                                                                                                                                                                                                          Start time:14:23:13
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:37
                                                                                                                                                                                                          Start time:14:23:14
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem" "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert""
                                                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:38
                                                                                                                                                                                                          Start time:14:23:14
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:39
                                                                                                                                                                                                          Start time:14:23:14
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*"
                                                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:40
                                                                                                                                                                                                          Start time:14:23:14
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\certutil.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert"\certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\." -i "C:\Users\user\AppData\Local\Temp\is-U1AOT.tmp\RdmCert\rdmroot.pem"
                                                                                                                                                                                                          Imagebase:0xe0000
                                                                                                                                                                                                          File size:103'936 bytes
                                                                                                                                                                                                          MD5 hash:0C6B43C9602F4D5AC9DCF907103447C4
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:41
                                                                                                                                                                                                          Start time:14:23:16
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RdmDAWrap.dll"
                                                                                                                                                                                                          Imagebase:0xd80000
                                                                                                                                                                                                          File size:20'992 bytes
                                                                                                                                                                                                          MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:42
                                                                                                                                                                                                          Start time:14:23:16
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Windows\system32\net.exe" stop RDMAppweb
                                                                                                                                                                                                          Imagebase:0x490000
                                                                                                                                                                                                          File size:47'104 bytes
                                                                                                                                                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:43
                                                                                                                                                                                                          Start time:14:23:16
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:44
                                                                                                                                                                                                          Start time:14:23:16
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:C:\Windows\system32\net1 stop RDMAppweb
                                                                                                                                                                                                          Imagebase:0x920000
                                                                                                                                                                                                          File size:139'776 bytes
                                                                                                                                                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:45
                                                                                                                                                                                                          Start time:14:23:17
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"
                                                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:46
                                                                                                                                                                                                          Start time:14:23:17
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:47
                                                                                                                                                                                                          Start time:14:23:17
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:tasklist
                                                                                                                                                                                                          Imagebase:0xbe0000
                                                                                                                                                                                                          File size:79'360 bytes
                                                                                                                                                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:48
                                                                                                                                                                                                          Start time:14:23:19
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe" start
                                                                                                                                                                                                          Imagebase:0x700000
                                                                                                                                                                                                          File size:16'896 bytes
                                                                                                                                                                                                          MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:49
                                                                                                                                                                                                          Start time:14:23:19
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppman.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\rdmappman.exe"
                                                                                                                                                                                                          Imagebase:0x700000
                                                                                                                                                                                                          File size:16'896 bytes
                                                                                                                                                                                                          MD5 hash:13037BCDD7B6062CFC5D5939456AA7F0
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:50
                                                                                                                                                                                                          Start time:14:23:19
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\RDM Corporation\RDM Appweb\bin\RDMAppweb.exe"
                                                                                                                                                                                                          Imagebase:0x740000
                                                                                                                                                                                                          File size:12'288 bytes
                                                                                                                                                                                                          MD5 hash:BA232235CDE212CF4900B84C7BF1CC0E
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:51
                                                                                                                                                                                                          Start time:14:23:19
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:52
                                                                                                                                                                                                          Start time:14:23:21
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"cmd.exe" /C tasklist > "C:\Users\user\AppData\Local\Temp\is-4JKS4.tmp\processList.txt"
                                                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:53
                                                                                                                                                                                                          Start time:14:23:21
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:54
                                                                                                                                                                                                          Start time:14:23:21
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:tasklist
                                                                                                                                                                                                          Imagebase:0xbe0000
                                                                                                                                                                                                          File size:79'360 bytes
                                                                                                                                                                                                          MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:55
                                                                                                                                                                                                          Start time:14:23:22
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"cmd.exe" /C taskkill /F /IM "RDMAppman.exe" /T
                                                                                                                                                                                                          Imagebase:0x240000
                                                                                                                                                                                                          File size:236'544 bytes
                                                                                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:56
                                                                                                                                                                                                          Start time:14:23:22
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:57
                                                                                                                                                                                                          Start time:14:23:22
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:taskkill /F /IM "RDMAppman.exe" /T
                                                                                                                                                                                                          Imagebase:0xb00000
                                                                                                                                                                                                          File size:74'240 bytes
                                                                                                                                                                                                          MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:58
                                                                                                                                                                                                          Start time:14:23:22
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Windows\system32\net.exe" start RdmAppweb
                                                                                                                                                                                                          Imagebase:0x490000
                                                                                                                                                                                                          File size:47'104 bytes
                                                                                                                                                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:59
                                                                                                                                                                                                          Start time:14:23:22
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:0x7ff7699e0000
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:60
                                                                                                                                                                                                          Start time:14:23:22
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:C:\Windows\system32\net1 start RdmAppweb
                                                                                                                                                                                                          Imagebase:0x920000
                                                                                                                                                                                                          File size:139'776 bytes
                                                                                                                                                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:61
                                                                                                                                                                                                          Start time:14:23:25
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_Support_4.0.3.1.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTART
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          File size:8'080'584 bytes
                                                                                                                                                                                                          MD5 hash:A1234F8D3A7122BE13679CFA0D9EB3E6
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:62
                                                                                                                                                                                                          Start time:14:23:25
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-OGOAS.tmp\WIN_SCM_SUPPORT_4.0.3.1.tmp" /SL5="$30500,7236847,788480,C:\Users\user\AppData\Local\Temp\is-PG8ND.tmp\WIN_SCM_SUPPORT_4.0.3.1.exe" /VERYSILENT /NORESTART
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          File size:3'131'344 bytes
                                                                                                                                                                                                          MD5 hash:9ECEDBF75204AF13FD44FEE9708AD1A1
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 2%, ReversingLabs
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:78
                                                                                                                                                                                                          Start time:14:23:33
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:
                                                                                                                                                                                                          Has administrator privileges:
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:92
                                                                                                                                                                                                          Start time:14:23:40
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:
                                                                                                                                                                                                          Has administrator privileges:
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:160
                                                                                                                                                                                                          Start time:14:23:59
                                                                                                                                                                                                          Start date:31/10/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                                          Wow64 process (32bit):
                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                          Imagebase:
                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                          Has elevated privileges:
                                                                                                                                                                                                          Has administrator privileges:
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:23.7%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:7.9%
                                                                                                                                                                                                            Total number of Nodes:1541
                                                                                                                                                                                                            Total number of Limit Nodes:23
                                                                                                                                                                                                            execution_graph 4983 407a40 SetFilePointer 4984 407a73 4983->4984 4985 407a63 GetLastError 4983->4985 4985->4984 4986 407a6c 4985->4986 4988 407908 GetLastError 4986->4988 4991 407868 4988->4991 5000 407700 FormatMessageA 4991->5000 4994 4078b0 5007 405ce0 4994->5007 4997 4078bf 5011 403198 4997->5011 5001 407726 5000->5001 5015 403278 5001->5015 5004 4055e4 5107 4055f8 5004->5107 5008 405ce7 5007->5008 5009 4031e8 18 API calls 5008->5009 5010 405cff 5009->5010 5010->4997 5012 4031b7 5011->5012 5013 40319e 5011->5013 5012->4984 5013->5012 5235 4025ac 5013->5235 5020 403254 5015->5020 5017 403288 5018 403198 4 API calls 5017->5018 5019 4032a0 5018->5019 5019->4994 5019->5004 5021 403274 5020->5021 5022 403258 5020->5022 5021->5017 5025 402594 5022->5025 5024 403261 5024->5017 5026 402598 5025->5026 5028 4025a2 5025->5028 5031 401fd4 5026->5031 5027 40259e 5027->5028 5042 403154 5027->5042 5028->5024 5028->5028 5032 401fe8 5031->5032 5033 401fed 5031->5033 5050 401918 RtlInitializeCriticalSection 5032->5050 5035 402012 RtlEnterCriticalSection 5033->5035 5036 40201c 5033->5036 5041 401ff1 5033->5041 5035->5036 5036->5041 5057 401ee0 5036->5057 5039 402147 5039->5027 5040 40213d RtlLeaveCriticalSection 5040->5039 5041->5027 5043 403164 5042->5043 5044 40318c TlsGetValue 5042->5044 5043->5028 5045 403196 5044->5045 5046 40316f 5044->5046 5045->5028 5102 40310c 5046->5102 5048 403174 TlsGetValue 5049 403184 5048->5049 5049->5028 5051 40193c RtlEnterCriticalSection 5050->5051 5052 401946 5050->5052 5051->5052 5053 401964 LocalAlloc 5052->5053 5054 40197e 5053->5054 5055 4019c3 RtlLeaveCriticalSection 5054->5055 5056 4019cd 5054->5056 5055->5056 5056->5033 5058 401ef0 5057->5058 5059 401f1c 5058->5059 5062 401f40 5058->5062 5063 401e58 5058->5063 5059->5062 5068 401d00 5059->5068 5062->5039 5062->5040 5072 4016d8 5063->5072 5066 401e75 5066->5058 5069 401d4e 5068->5069 5070 401d1e 5068->5070 5069->5070 5089 401c68 5069->5089 5070->5062 5073 4016f4 5072->5073 5074 401430 LocalAlloc VirtualAlloc VirtualFree 5073->5074 5075 4016fe 5073->5075 5077 40175b 5073->5077 5078 40132c LocalAlloc 5073->5078 5080 40174f 5073->5080 5074->5073 5076 4015c4 VirtualAlloc 5075->5076 5079 40170a 5076->5079 5077->5066 5082 401dcc 5077->5082 5078->5073 5079->5077 5081 40150c VirtualFree 5080->5081 5081->5077 5083 401d80 9 API calls 5082->5083 5084 401de0 5083->5084 5085 40132c LocalAlloc 5084->5085 5086 401df0 5085->5086 5087 401b44 9 API calls 5086->5087 5088 401df8 5086->5088 5087->5088 5088->5066 5090 401c7a 5089->5090 5091 401c9d 5090->5091 5092 401caf 5090->5092 5093 40188c LocalAlloc VirtualFree VirtualFree 5091->5093 5094 40188c LocalAlloc VirtualFree VirtualFree 5092->5094 5095 401cad 5093->5095 5094->5095 5096 401cc5 5095->5096 5097 401b44 9 API calls 5095->5097 5096->5070 5098 401cd4 5097->5098 5099 401cee 5098->5099 5100 401b98 9 API calls 5098->5100 5101 4013a0 LocalAlloc 5099->5101 5100->5099 5101->5096 5103 403120 LocalAlloc 5102->5103 5104 403116 5102->5104 5105 403132 5103->5105 5106 40313e TlsSetValue 5103->5106 5104->5103 5105->5048 5106->5105 5108 405615 5107->5108 5115 4052a8 5108->5115 5111 405641 5113 403278 18 API calls 5111->5113 5114 4055f3 5113->5114 5114->4994 5117 4052c3 5115->5117 5116 4052d5 5116->5111 5120 405034 5116->5120 5117->5116 5123 4053ca 5117->5123 5130 40529c 5117->5130 5227 405d90 5120->5227 5122 405045 5122->5111 5124 4053db 5123->5124 5127 405429 5123->5127 5126 4054af 5124->5126 5124->5127 5129 405447 5126->5129 5137 405288 5126->5137 5127->5129 5133 405244 5127->5133 5129->5117 5131 403198 4 API calls 5130->5131 5132 4052a6 5131->5132 5132->5117 5134 405252 5133->5134 5140 40504c 5134->5140 5136 405280 5136->5127 5166 4039a4 5137->5166 5143 405e00 5140->5143 5142 405065 5142->5136 5144 405e0e 5143->5144 5153 40512c LoadStringA 5144->5153 5147 4055e4 33 API calls 5148 405e46 5147->5148 5156 4031e8 5148->5156 5154 403278 18 API calls 5153->5154 5155 405159 5154->5155 5155->5147 5157 4031ec 5156->5157 5160 4031fc 5156->5160 5159 403254 18 API calls 5157->5159 5157->5160 5158 403228 5162 4031b8 5158->5162 5159->5160 5160->5158 5161 4025ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5160->5161 5161->5158 5164 4031be 5162->5164 5163 4031e3 5163->5142 5164->5163 5165 4025ac LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5164->5165 5165->5164 5167 4039ab 5166->5167 5172 4038b4 5167->5172 5169 4039cb 5170 403198 4 API calls 5169->5170 5171 4039d2 5170->5171 5171->5129 5173 4038d5 5172->5173 5174 4038c8 5172->5174 5175 403934 5173->5175 5176 4038db 5173->5176 5200 403780 5174->5200 5180 403993 5175->5180 5181 40393b 5175->5181 5178 4038e1 5176->5178 5179 4038ee 5176->5179 5207 403894 5178->5207 5186 403894 6 API calls 5179->5186 5187 4037f4 3 API calls 5180->5187 5182 403941 5181->5182 5183 40394b 5181->5183 5222 403864 5182->5222 5189 4037f4 3 API calls 5183->5189 5184 4038d0 5184->5169 5190 4038fc 5186->5190 5187->5184 5191 40395d 5189->5191 5212 4037f4 5190->5212 5193 403864 23 API calls 5191->5193 5195 403976 5193->5195 5194 403917 5218 40374c 5194->5218 5197 40374c VariantClear 5195->5197 5199 40398b 5197->5199 5198 40392c 5198->5169 5199->5169 5201 4037f0 5200->5201 5202 403744 5200->5202 5201->5184 5202->5200 5203 403793 VariantClear 5202->5203 5204 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5202->5204 5205 4037dc VariantCopyInd 5202->5205 5206 4037ab 5202->5206 5203->5202 5204->5202 5205->5201 5205->5202 5206->5184 5208 4036b8 MultiByteToWideChar SysAllocStringLen MultiByteToWideChar SysAllocStringLen MultiByteToWideChar 5207->5208 5209 4038a0 5208->5209 5210 40374c VariantClear 5209->5210 5211 4038a9 5210->5211 5211->5184 5213 403845 VariantChangeTypeEx 5212->5213 5214 40380a VariantChangeTypeEx 5212->5214 5217 403832 5213->5217 5215 403826 5214->5215 5216 40374c VariantClear 5215->5216 5216->5217 5217->5194 5219 403766 5218->5219 5220 403759 5218->5220 5219->5198 5220->5219 5221 403779 VariantClear 5220->5221 5221->5198 5223 40369c 22 API calls 5222->5223 5224 40387b 5223->5224 5225 40374c VariantClear 5224->5225 5226 403882 5225->5226 5226->5184 5228 405d9c 5227->5228 5229 40512c 19 API calls 5228->5229 5230 405dc2 5229->5230 5231 4031e8 18 API calls 5230->5231 5232 405dcd 5231->5232 5233 403198 4 API calls 5232->5233 5234 405de2 5233->5234 5234->5122 5236 4025ba 5235->5236 5238 4025b0 5235->5238 5236->5012 5237 402632 5237->5237 5238->5236 5238->5237 5239 403154 4 API calls 5238->5239 5239->5237 6684 40af42 6685 40af72 6684->6685 6686 40af7c CreateWindowExA SetWindowLongA 6685->6686 6687 4055e4 33 API calls 6686->6687 6688 40afff 6687->6688 6689 4032fc 18 API calls 6688->6689 6690 40b00d 6689->6690 6691 4032fc 18 API calls 6690->6691 6692 40b01a 6691->6692 6693 406fcc 19 API calls 6692->6693 6694 40b026 6693->6694 6695 4032fc 18 API calls 6694->6695 6696 40b02f 6695->6696 6697 409e8c 43 API calls 6696->6697 6698 40b041 6697->6698 6699 409d6c 19 API calls 6698->6699 6700 40b054 6698->6700 6699->6700 6701 40b08d 6700->6701 6703 409978 9 API calls 6700->6703 6702 40b0a6 6701->6702 6706 40b0a0 RemoveDirectoryA 6701->6706 6704 40b0ba 6702->6704 6705 40b0af DestroyWindow 6702->6705 6703->6701 6707 40b0e2 6704->6707 6708 40357c 4 API calls 6704->6708 6705->6704 6706->6702 6709 40b0d8 6708->6709 6710 4025ac 4 API calls 6709->6710 6710->6707 5359 407b44 WriteFile 5360 407b64 5359->5360 5361 407b6b 5359->5361 5363 407908 35 API calls 5360->5363 5362 407b7c 5361->5362 5364 407868 34 API calls 5361->5364 5363->5361 5364->5362 6711 402b48 RaiseException 6712 40294a 6713 402952 6712->6713 6714 403554 4 API calls 6713->6714 6715 402967 6713->6715 6714->6713 6716 403f4a 6717 403f53 6716->6717 6718 403f5c 6716->6718 6719 403f07 4 API calls 6717->6719 6719->6718 5240 408450 5241 408462 5240->5241 5243 408469 5240->5243 5251 40838c 5241->5251 5244 408491 5243->5244 5245 408493 5243->5245 5249 40849d 5243->5249 5265 4082a8 5244->5265 5262 4081f8 5245->5262 5246 4084ca 5248 4081f8 33 API calls 5248->5246 5249->5246 5249->5248 5252 4083a1 5251->5252 5253 4081f8 33 API calls 5252->5253 5254 4083b0 5252->5254 5253->5254 5255 4083ea 5254->5255 5256 4081f8 33 API calls 5254->5256 5257 4083fe 5255->5257 5258 4081f8 33 API calls 5255->5258 5256->5255 5261 40842a 5257->5261 5272 408334 5257->5272 5258->5257 5261->5243 5275 405d14 5262->5275 5264 40821a 5264->5249 5266 4055e4 33 API calls 5265->5266 5267 4082d3 5266->5267 5283 408260 5267->5283 5269 4082db 5270 403198 4 API calls 5269->5270 5271 4082f0 5270->5271 5271->5249 5273 408343 VirtualFree 5272->5273 5274 408355 VirtualAlloc 5272->5274 5273->5274 5274->5261 5276 405d20 5275->5276 5277 4055e4 33 API calls 5276->5277 5278 405d4d 5277->5278 5279 4031e8 18 API calls 5278->5279 5280 405d58 5279->5280 5281 403198 4 API calls 5280->5281 5282 405d6d 5281->5282 5282->5264 5284 405d14 33 API calls 5283->5284 5285 408282 5284->5285 5285->5269 6323 403a52 6324 403a74 6323->6324 6325 403a5a WriteFile 6323->6325 6325->6324 6326 403a78 GetLastError 6325->6326 6326->6324 6327 402654 6328 403154 4 API calls 6327->6328 6329 402614 6328->6329 6330 402632 6329->6330 6331 403154 4 API calls 6329->6331 6330->6330 6331->6330 5368 40af57 5398 409ae8 GetLastError 5368->5398 5371 40af72 5373 40af7c CreateWindowExA SetWindowLongA 5371->5373 5374 4055e4 33 API calls 5373->5374 5375 40afff 5374->5375 5411 4032fc 5375->5411 5377 40b00d 5378 4032fc 18 API calls 5377->5378 5379 40b01a 5378->5379 5425 406fcc GetCommandLineA 5379->5425 5382 4032fc 18 API calls 5383 40b02f 5382->5383 5432 409e8c 5383->5432 5387 40b054 5388 40b08d 5387->5388 5448 409978 5387->5448 5389 40b0a6 5388->5389 5393 40b0a0 RemoveDirectoryA 5388->5393 5391 40b0ba 5389->5391 5392 40b0af DestroyWindow 5389->5392 5394 40b0e2 5391->5394 5467 40357c 5391->5467 5392->5391 5393->5389 5396 40b0d8 5397 4025ac 4 API calls 5396->5397 5397->5394 5477 4050e4 5398->5477 5401 407700 19 API calls 5402 409b3f 5401->5402 5480 409224 5402->5480 5405 405ce0 18 API calls 5406 409b63 5405->5406 5407 4031b8 4 API calls 5406->5407 5408 409b82 5407->5408 5409 403198 4 API calls 5408->5409 5410 409b8a 5409->5410 5410->5371 5456 402f24 5410->5456 5412 403300 5411->5412 5413 40333f 5411->5413 5414 4031e8 5412->5414 5415 40330a 5412->5415 5413->5377 5421 403254 18 API calls 5414->5421 5422 4031fc 5414->5422 5416 403334 5415->5416 5417 40331d 5415->5417 5419 4034f0 18 API calls 5416->5419 5502 4034f0 5417->5502 5424 403322 5419->5424 5420 403228 5420->5377 5421->5422 5422->5420 5423 4025ac 4 API calls 5422->5423 5423->5420 5424->5377 5515 406f40 5425->5515 5428 4032c4 18 API calls 5429 406ffa 5428->5429 5430 403198 4 API calls 5429->5430 5431 40700f 5430->5431 5431->5382 5529 4033b4 5432->5529 5434 409ec7 5435 409ef9 CreateProcessA 5434->5435 5436 409f05 5435->5436 5437 409f0c CloseHandle 5435->5437 5438 409ae8 35 API calls 5436->5438 5439 409f15 5437->5439 5438->5437 5440 409e60 TranslateMessage DispatchMessageA PeekMessageA 5439->5440 5441 409f1a MsgWaitForMultipleObjects 5440->5441 5441->5439 5442 409f31 5441->5442 5443 409e60 TranslateMessage DispatchMessageA PeekMessageA 5442->5443 5444 409f36 GetExitCodeProcess CloseHandle 5443->5444 5445 409f56 5444->5445 5446 403198 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 5445->5446 5447 409f5e 5446->5447 5447->5387 5461 409d6c 5447->5461 5449 4099d2 5448->5449 5451 40998b 5448->5451 5449->5388 5450 409993 Sleep 5450->5451 5451->5449 5451->5450 5452 4099a3 Sleep 5451->5452 5454 4099ba GetLastError 5451->5454 5535 409438 5451->5535 5452->5451 5454->5449 5455 4099c4 GetLastError 5454->5455 5455->5449 5455->5451 5457 403154 4 API calls 5456->5457 5458 402f29 5457->5458 5552 402bcc 5458->5552 5460 402f51 5460->5460 5462 409d74 5461->5462 5466 409dae 5461->5466 5463 403420 18 API calls 5462->5463 5462->5466 5464 409da8 5463->5464 5555 4092fc 5464->5555 5466->5387 5468 403591 5467->5468 5469 4035aa 5467->5469 5468->5469 5474 4035d0 5468->5474 5475 4035b6 5468->5475 5470 4035b1 5469->5470 5471 4035b8 5469->5471 5472 403198 4 API calls 5470->5472 5473 4031b8 4 API calls 5471->5473 5472->5475 5473->5475 5476 40357c 4 API calls 5474->5476 5475->5396 5476->5475 5478 4055f8 33 API calls 5477->5478 5479 405102 5478->5479 5479->5401 5481 409244 5480->5481 5484 4090fc 5481->5484 5485 403198 4 API calls 5484->5485 5495 40912d 5485->5495 5486 409158 5487 4031b8 4 API calls 5486->5487 5489 4091e5 5487->5489 5488 409144 5496 4032c4 5488->5496 5489->5405 5492 403278 18 API calls 5492->5495 5493 4032fc 18 API calls 5493->5486 5494 4032fc 18 API calls 5494->5495 5495->5486 5495->5488 5495->5492 5495->5494 5497 403278 5496->5497 5498 403254 18 API calls 5497->5498 5499 403288 5498->5499 5500 403198 4 API calls 5499->5500 5501 4032a0 5500->5501 5501->5493 5503 4034fd 5502->5503 5510 40352d 5502->5510 5505 403526 5503->5505 5506 403509 5503->5506 5504 403198 4 API calls 5508 403517 5504->5508 5507 403254 18 API calls 5505->5507 5511 4025c4 5506->5511 5507->5510 5508->5424 5510->5504 5512 4025ca 5511->5512 5513 4025dc 5512->5513 5514 403154 4 API calls 5512->5514 5513->5508 5513->5513 5514->5513 5516 406f6c 5515->5516 5517 403278 18 API calls 5516->5517 5518 406f79 5517->5518 5525 403420 5518->5525 5520 406f81 5521 4031e8 18 API calls 5520->5521 5522 406f99 5521->5522 5523 403198 4 API calls 5522->5523 5524 406fbb 5523->5524 5524->5428 5526 403426 5525->5526 5528 403437 5525->5528 5527 403254 18 API calls 5526->5527 5526->5528 5527->5528 5528->5520 5530 4033bc 5529->5530 5531 403254 18 API calls 5530->5531 5532 4033cf 5531->5532 5533 4031e8 18 API calls 5532->5533 5534 4033f7 5533->5534 5543 4093ec 5535->5543 5537 40944e 5538 409452 5537->5538 5539 40946e DeleteFileA GetLastError 5537->5539 5538->5451 5540 40948c 5539->5540 5549 409428 5540->5549 5544 4093f6 5543->5544 5545 4093fa 5543->5545 5544->5537 5546 409403 Wow64DisableWow64FsRedirection 5545->5546 5547 40941c SetLastError 5545->5547 5548 409417 5546->5548 5547->5548 5548->5537 5550 409437 5549->5550 5551 40942d Wow64RevertWow64FsRedirection 5549->5551 5550->5451 5551->5550 5553 402bd5 RaiseException 5552->5553 5554 402be6 5552->5554 5553->5554 5554->5460 5556 40930a 5555->5556 5558 409322 5556->5558 5568 409294 5556->5568 5559 409294 18 API calls 5558->5559 5560 409346 5558->5560 5559->5560 5571 407d94 5560->5571 5563 409374 5565 409294 18 API calls 5563->5565 5566 403278 18 API calls 5563->5566 5567 4093a3 5563->5567 5564 409294 18 API calls 5564->5563 5565->5563 5566->5563 5567->5466 5569 405ce0 18 API calls 5568->5569 5570 4092a5 5569->5570 5570->5558 5574 407d40 5571->5574 5575 407d52 5574->5575 5576 407d63 5574->5576 5577 407d57 InterlockedExchange 5575->5577 5576->5563 5576->5564 5577->5576 6336 402e64 6337 402e69 6336->6337 6338 402e7a RtlUnwind 6337->6338 6339 402e5e 6337->6339 6340 402e9d 6338->6340 6349 407a76 GetFileSize 6350 407aa2 6349->6350 6351 407a92 GetLastError 6349->6351 6351->6350 6352 407a9b 6351->6352 6353 407908 35 API calls 6352->6353 6353->6350 6742 403f7d 6743 403fa2 6742->6743 6746 403f84 6742->6746 6745 403e8e 4 API calls 6743->6745 6743->6746 6744 403f8c 6745->6746 6746->6744 6747 402674 4 API calls 6746->6747 6748 403fca 6747->6748 6020 40ae7e 6021 40aea3 6020->6021 6022 407d94 InterlockedExchange 6021->6022 6023 40aecd 6022->6023 6024 40aedd 6023->6024 6025 409f88 18 API calls 6023->6025 6030 407b28 SetEndOfFile 6024->6030 6025->6024 6027 40aef9 6028 4025ac 4 API calls 6027->6028 6029 40af30 6028->6029 6031 407b38 6030->6031 6032 407b3f 6030->6032 6033 407908 35 API calls 6031->6033 6032->6027 6033->6032 6364 409e00 6365 409e0f 6364->6365 6366 409e22 6364->6366 6365->6366 6367 409e3e CallWindowProcA 6365->6367 6367->6366 5286 403d02 5291 403d12 5286->5291 5287 403ddf ExitProcess 5288 403db8 5302 403cc8 5288->5302 5291->5287 5291->5288 5292 403dea 5291->5292 5295 403da4 5291->5295 5296 403d8f MessageBoxA 5291->5296 5293 403cc8 4 API calls 5294 403dcc 5293->5294 5306 4019dc 5294->5306 5318 403fe4 5295->5318 5296->5288 5299 403dd1 5299->5287 5299->5292 5303 403cd6 5302->5303 5305 403ceb 5303->5305 5322 402674 5303->5322 5305->5293 5307 401abb 5306->5307 5308 4019ed 5306->5308 5307->5299 5309 401a04 RtlEnterCriticalSection 5308->5309 5310 401a0e LocalFree 5308->5310 5309->5310 5311 401a41 5310->5311 5312 401a2f VirtualFree 5311->5312 5313 401a49 5311->5313 5312->5311 5314 401a70 LocalFree 5313->5314 5315 401a87 5313->5315 5314->5314 5314->5315 5316 401aa9 RtlDeleteCriticalSection 5315->5316 5317 401a9f RtlLeaveCriticalSection 5315->5317 5316->5299 5317->5316 5319 403fe8 5318->5319 5325 403f07 5319->5325 5321 404006 5323 403154 4 API calls 5322->5323 5324 40267a 5323->5324 5324->5305 5328 403f09 5325->5328 5327 403f3c 5327->5321 5330 403154 4 API calls 5328->5330 5332 403e9c 5328->5332 5335 403f3d 5328->5335 5348 403e9c 5328->5348 5329 403ecf 5329->5321 5330->5328 5331 403ef2 5333 402674 4 API calls 5331->5333 5332->5327 5332->5331 5337 403ea9 5332->5337 5339 403e8e 5332->5339 5333->5329 5335->5321 5337->5329 5338 402674 4 API calls 5337->5338 5338->5329 5340 403e4c 5339->5340 5341 403e62 5340->5341 5342 403e7b 5340->5342 5346 403e67 5340->5346 5344 403cc8 4 API calls 5341->5344 5343 402674 4 API calls 5342->5343 5345 403e78 5343->5345 5344->5346 5345->5331 5345->5337 5346->5345 5347 402674 4 API calls 5346->5347 5347->5345 5350 403ed7 5348->5350 5354 403ea9 5348->5354 5349 403ef2 5351 402674 4 API calls 5349->5351 5350->5349 5353 403e8e 4 API calls 5350->5353 5352 403ecf 5351->5352 5352->5328 5355 403ee6 5353->5355 5354->5352 5356 402674 4 API calls 5354->5356 5355->5349 5355->5354 5356->5352 6368 404206 6369 4041cc 6368->6369 6372 40420a 6368->6372 6370 404282 6371 403154 4 API calls 6373 404323 6371->6373 6372->6370 6372->6371 6374 402c08 6375 402c82 6374->6375 6378 402c19 6374->6378 6376 402c56 RtlUnwind 6377 403154 4 API calls 6376->6377 6377->6375 6378->6375 6378->6376 6381 402b28 6378->6381 6382 402b31 RaiseException 6381->6382 6383 402b47 6381->6383 6382->6383 6383->6376 6753 40830c 6754 408334 VirtualFree 6753->6754 6755 408319 6754->6755 6392 403018 6393 403070 6392->6393 6394 403025 6392->6394 6395 40302a RtlUnwind 6394->6395 6396 40304e 6395->6396 6398 402f78 6396->6398 6399 402be8 6396->6399 6400 402bf1 RaiseException 6399->6400 6401 402c04 6399->6401 6400->6401 6401->6393 6402 409220 6403 409244 6402->6403 6404 4090fc 18 API calls 6403->6404 6405 40924d 6404->6405 6766 405f24 6767 405f34 6766->6767 6768 405f2c 6766->6768 6769 405f32 6768->6769 6770 405f3b 6768->6770 6773 405e9c 6769->6773 6771 405d90 19 API calls 6770->6771 6771->6767 6774 405ea4 6773->6774 6775 405ebe 6774->6775 6776 403154 4 API calls 6774->6776 6777 405ec3 6775->6777 6778 405eda 6775->6778 6776->6774 6780 405d90 19 API calls 6777->6780 6779 403154 4 API calls 6778->6779 6781 405edf 6779->6781 6782 405ed6 6780->6782 6783 405e00 33 API calls 6781->6783 6784 403154 4 API calls 6782->6784 6783->6782 6785 405f08 6784->6785 6786 403154 4 API calls 6785->6786 6787 405f16 6786->6787 6787->6767 6406 403a28 ReadFile 6407 403a46 6406->6407 6408 403a49 GetLastError 6406->6408 6409 40462b 6410 404638 SetErrorMode 6409->6410 6788 403932 6789 403924 6788->6789 6790 40374c VariantClear 6789->6790 6791 40392c 6790->6791 6792 40b137 6801 409b9c 6792->6801 6795 402f24 5 API calls 6796 40b141 6795->6796 6797 403198 4 API calls 6796->6797 6798 40b160 6797->6798 6799 403198 4 API calls 6798->6799 6800 40b168 6799->6800 6810 405afc 6801->6810 6803 409be5 6807 403198 4 API calls 6803->6807 6804 409bb7 6804->6803 6816 407688 6804->6816 6806 409bd5 6809 409bdd MessageBoxA 6806->6809 6808 409bfa 6807->6808 6808->6795 6808->6796 6809->6803 6811 403154 4 API calls 6810->6811 6812 405b01 6811->6812 6813 405b19 6812->6813 6814 403154 4 API calls 6812->6814 6813->6804 6815 405b0f 6814->6815 6815->6804 6817 405afc 4 API calls 6816->6817 6818 407697 6817->6818 6819 4076ab 6818->6819 6820 40769d 6818->6820 6823 4076c7 6819->6823 6824 4076bb 6819->6824 6821 40322c 4 API calls 6820->6821 6822 4076a9 6821->6822 6822->6806 6834 4032b8 6823->6834 6827 40764c 6824->6827 6828 40322c 4 API calls 6827->6828 6829 40765b 6828->6829 6830 407678 6829->6830 6831 406da0 CharPrevA 6829->6831 6830->6822 6832 407667 6831->6832 6832->6830 6833 4032fc 18 API calls 6832->6833 6833->6830 6835 403278 18 API calls 6834->6835 6836 4032c2 6835->6836 6836->6822 5365 4079c4 5366 4079d0 CloseHandle 5365->5366 5367 4079d9 5365->5367 5366->5367 6421 402ccc 6424 402cfe 6421->6424 6426 402cdd 6421->6426 6422 402d88 RtlUnwind 6423 403154 4 API calls 6422->6423 6423->6424 6425 402b28 RaiseException 6427 402d7f 6425->6427 6426->6422 6426->6424 6426->6425 6427->6422 6428 406acc IsDBCSLeadByte 6429 406ae4 6428->6429 6845 403fcd 6846 403f07 4 API calls 6845->6846 6847 403fd6 6846->6847 6848 403e9c 4 API calls 6847->6848 6849 403fe2 6848->6849 6034 40accf 6035 409f88 18 API calls 6034->6035 6036 40acd4 6035->6036 6037 402f24 5 API calls 6036->6037 6038 40acd9 6037->6038 6071 409ddc 6038->6071 6040 40ad31 6076 4026c4 GetSystemTime 6040->6076 6042 40acde 6042->6040 6112 409254 6042->6112 6043 40ad36 6077 4097d0 6043->6077 6047 40ad0d 6051 40ad15 MessageBoxA 6047->6051 6048 4031e8 18 API calls 6049 40ad4b 6048->6049 6095 406d78 6049->6095 6051->6040 6053 40ad22 6051->6053 6115 405cb4 6053->6115 6057 406a88 19 API calls 6058 40ad79 6057->6058 6059 403340 18 API calls 6058->6059 6060 40ad87 6059->6060 6061 4031e8 18 API calls 6060->6061 6062 40ad97 6061->6062 6063 40795c 37 API calls 6062->6063 6064 40add6 6063->6064 6065 402594 18 API calls 6064->6065 6066 40adf6 6065->6066 6067 407ea4 19 API calls 6066->6067 6068 40ae38 6067->6068 6069 408134 35 API calls 6068->6069 6070 40ae5f 6069->6070 6119 4099dc 6071->6119 6074 409d6c 19 API calls 6075 409dfc 6074->6075 6075->6042 6076->6043 6094 4097f0 6077->6094 6080 409815 CreateDirectoryA 6081 40988d 6080->6081 6082 40981f GetLastError 6080->6082 6083 40322c 4 API calls 6081->6083 6082->6094 6084 409897 6083->6084 6086 4031b8 4 API calls 6084->6086 6085 409254 18 API calls 6085->6094 6088 4098b1 6086->6088 6087 4050e4 33 API calls 6087->6094 6090 4031b8 4 API calls 6088->6090 6089 407700 19 API calls 6089->6094 6091 4098be 6090->6091 6091->6048 6092 409224 18 API calls 6092->6094 6093 405ce0 18 API calls 6093->6094 6094->6080 6094->6085 6094->6087 6094->6089 6094->6092 6094->6093 6175 407170 6094->6175 6198 4096c4 6094->6198 6305 406c70 6095->6305 6098 403454 18 API calls 6099 406d9a 6098->6099 6100 406b10 6099->6100 6310 406d34 6100->6310 6103 406b40 6105 403340 18 API calls 6103->6105 6104 406b4e 6106 403454 18 API calls 6104->6106 6107 406b4c 6105->6107 6108 406b61 6106->6108 6110 403198 4 API calls 6107->6110 6109 403340 18 API calls 6108->6109 6109->6107 6111 406b83 6110->6111 6111->6057 6113 409224 18 API calls 6112->6113 6114 409270 6113->6114 6114->6047 6116 405cb9 6115->6116 6117 405d90 19 API calls 6116->6117 6118 405ccb 6117->6118 6118->6118 6126 4099fb 6119->6126 6120 409a30 6123 409a3d GetUserDefaultLangID 6120->6123 6127 409a32 6120->6127 6121 409a34 6131 4074a0 GetModuleHandleA GetProcAddress 6121->6131 6123->6127 6125 409a0f 6125->6074 6126->6120 6126->6121 6126->6125 6127->6125 6128 409a6b GetACP 6127->6128 6129 409a8f 6127->6129 6128->6125 6128->6127 6129->6125 6130 409ab5 GetACP 6129->6130 6130->6125 6130->6129 6132 4074e3 6131->6132 6133 4074da 6131->6133 6134 407524 6132->6134 6135 4074ec 6132->6135 6143 403198 4 API calls 6133->6143 6137 4073e4 RegOpenKeyExA 6134->6137 6152 4073e4 6135->6152 6139 40753d 6137->6139 6138 407505 6140 40755a 6138->6140 6155 4073d8 6138->6155 6139->6140 6144 4073d8 20 API calls 6139->6144 6141 40322c 4 API calls 6140->6141 6145 407567 6141->6145 6147 40759c 6143->6147 6148 407551 RegCloseKey 6144->6148 6149 4032fc 18 API calls 6145->6149 6150 403198 4 API calls 6147->6150 6148->6140 6149->6133 6151 4075a4 6150->6151 6151->6127 6153 4073f5 RegOpenKeyExA 6152->6153 6154 4073ef 6152->6154 6153->6138 6154->6153 6158 40728c 6155->6158 6159 4072b2 RegQueryValueExA 6158->6159 6160 4072f7 6159->6160 6166 4072d5 6159->6166 6162 403198 4 API calls 6160->6162 6161 4072ef 6163 403198 4 API calls 6161->6163 6164 4073c3 RegCloseKey 6162->6164 6163->6160 6164->6140 6165 403278 18 API calls 6165->6166 6166->6160 6166->6161 6166->6165 6167 403420 18 API calls 6166->6167 6168 40732c RegQueryValueExA 6167->6168 6168->6159 6169 407348 6168->6169 6169->6160 6170 4034f0 18 API calls 6169->6170 6171 40738a 6170->6171 6172 40739c 6171->6172 6174 403420 18 API calls 6171->6174 6173 4031e8 18 API calls 6172->6173 6173->6160 6174->6172 6217 406ea8 6175->6217 6178 4071a2 6179 406ea8 19 API calls 6178->6179 6182 4071ee 6178->6182 6181 4071b2 6179->6181 6183 4071be 6181->6183 6185 406e84 21 API calls 6181->6185 6225 406cd8 6182->6225 6183->6182 6187 406ea8 19 API calls 6183->6187 6195 4071e3 6183->6195 6185->6183 6191 4071d7 6187->6191 6189 406a88 19 API calls 6190 407203 6189->6190 6192 40322c 4 API calls 6190->6192 6193 406e84 21 API calls 6191->6193 6191->6195 6194 40720d 6192->6194 6193->6195 6196 4031b8 4 API calls 6194->6196 6195->6182 6237 407118 GetWindowsDirectoryA 6195->6237 6197 407227 6196->6197 6197->6094 6199 4096e4 6198->6199 6200 406a88 19 API calls 6199->6200 6201 4096fd 6200->6201 6202 40322c 4 API calls 6201->6202 6203 409708 6202->6203 6204 406dc8 20 API calls 6203->6204 6206 4033b4 18 API calls 6203->6206 6207 409254 18 API calls 6203->6207 6209 405ce0 18 API calls 6203->6209 6210 409784 6203->6210 6278 409650 6203->6278 6286 4094b0 6203->6286 6204->6203 6206->6203 6207->6203 6209->6203 6211 40322c 4 API calls 6210->6211 6212 40978f 6211->6212 6213 4031b8 4 API calls 6212->6213 6214 4097a9 6213->6214 6215 403198 4 API calls 6214->6215 6216 4097b1 6215->6216 6216->6094 6218 4034f0 18 API calls 6217->6218 6220 406ebb 6218->6220 6219 406ed2 GetEnvironmentVariableA 6219->6220 6221 406ede 6219->6221 6220->6219 6224 406ee5 6220->6224 6240 407268 6220->6240 6222 403198 4 API calls 6221->6222 6222->6224 6224->6178 6234 406e84 6224->6234 6226 403414 6225->6226 6227 406cfb GetFullPathNameA 6226->6227 6228 406d07 6227->6228 6229 406d1e 6227->6229 6228->6229 6231 406d0f 6228->6231 6230 40322c 4 API calls 6229->6230 6232 406d1c 6230->6232 6233 403278 18 API calls 6231->6233 6232->6189 6233->6232 6244 406e2c 6234->6244 6238 405230 18 API calls 6237->6238 6239 407139 6238->6239 6239->6182 6241 407276 6240->6241 6242 4034f0 18 API calls 6241->6242 6243 407284 6242->6243 6243->6220 6251 406dc8 6244->6251 6246 406e4e 6247 406e56 GetFileAttributesA 6246->6247 6248 406e6b 6247->6248 6249 403198 4 API calls 6248->6249 6250 406e73 6249->6250 6250->6178 6261 406b94 6251->6261 6253 406e00 6256 406e16 6253->6256 6257 406e0b 6253->6257 6255 406dd9 6255->6253 6268 406dc0 CharPrevA 6255->6268 6269 403454 6256->6269 6259 40322c 4 API calls 6257->6259 6260 406e14 6259->6260 6260->6246 6264 406ba5 6261->6264 6262 406c09 6263 406ad0 IsDBCSLeadByte 6262->6263 6265 406c04 6262->6265 6263->6265 6264->6262 6267 406bc3 6264->6267 6265->6255 6267->6265 6276 406ad0 IsDBCSLeadByte 6267->6276 6268->6255 6270 403486 6269->6270 6271 403459 6269->6271 6272 403198 4 API calls 6270->6272 6271->6270 6273 40346d 6271->6273 6275 40347c 6272->6275 6274 403278 18 API calls 6273->6274 6274->6275 6275->6260 6277 406ae4 6276->6277 6277->6267 6279 403198 4 API calls 6278->6279 6281 409671 6279->6281 6283 40969e 6281->6283 6295 4032a8 6281->6295 6298 403494 6281->6298 6284 403198 4 API calls 6283->6284 6285 4096b3 6284->6285 6285->6203 6287 4093ec 2 API calls 6286->6287 6288 4094c6 6287->6288 6289 4094ca 6288->6289 6302 406e98 6288->6302 6289->6203 6292 4094fd 6293 409428 Wow64RevertWow64FsRedirection 6292->6293 6294 409505 6293->6294 6294->6203 6296 403278 18 API calls 6295->6296 6297 4032b5 6296->6297 6297->6281 6299 403498 6298->6299 6301 4034c3 6298->6301 6300 4034f0 18 API calls 6299->6300 6300->6301 6301->6281 6303 406e2c 21 API calls 6302->6303 6304 406ea2 GetLastError 6303->6304 6304->6292 6306 406b94 IsDBCSLeadByte 6305->6306 6308 406c85 6306->6308 6307 406ccf 6307->6098 6308->6307 6309 406ad0 IsDBCSLeadByte 6308->6309 6309->6308 6311 406d43 6310->6311 6312 406c70 IsDBCSLeadByte 6311->6312 6315 406d4e 6312->6315 6313 406b3a 6313->6103 6313->6104 6314 406ad0 IsDBCSLeadByte 6314->6315 6315->6313 6315->6314 6430 4024d0 6431 4024e4 6430->6431 6432 4024e9 6430->6432 6435 401918 4 API calls 6431->6435 6433 402518 6432->6433 6434 40250e RtlEnterCriticalSection 6432->6434 6437 4024ed 6432->6437 6445 402300 6433->6445 6434->6433 6435->6432 6438 402525 6441 402581 6438->6441 6442 402577 RtlLeaveCriticalSection 6438->6442 6440 401fd4 14 API calls 6443 402531 6440->6443 6442->6441 6443->6438 6455 40215c 6443->6455 6446 402314 6445->6446 6447 402335 6446->6447 6453 4023b8 6446->6453 6448 402344 6447->6448 6469 401b74 6447->6469 6448->6438 6448->6440 6452 402455 6452->6448 6454 401d00 9 API calls 6452->6454 6453->6448 6453->6452 6472 401d80 6453->6472 6476 401e84 6453->6476 6454->6448 6456 40217a 6455->6456 6457 402175 6455->6457 6459 4021ab RtlEnterCriticalSection 6456->6459 6461 4021b5 6456->6461 6463 40217e 6456->6463 6458 401918 4 API calls 6457->6458 6458->6456 6459->6461 6460 4021c1 6464 4022e3 RtlLeaveCriticalSection 6460->6464 6465 4022ed 6460->6465 6461->6460 6462 402244 6461->6462 6467 402270 6461->6467 6462->6463 6466 401d80 7 API calls 6462->6466 6463->6438 6464->6465 6465->6438 6466->6463 6467->6460 6468 401d00 7 API calls 6467->6468 6468->6460 6470 40215c 9 API calls 6469->6470 6471 401b95 6470->6471 6471->6448 6473 401d92 6472->6473 6474 401d89 6472->6474 6473->6453 6474->6473 6475 401b74 9 API calls 6474->6475 6475->6473 6481 401768 6476->6481 6478 401e99 6479 401dcc 9 API calls 6478->6479 6480 401ea6 6478->6480 6479->6480 6480->6453 6482 401787 6481->6482 6483 40183b 6482->6483 6484 401494 LocalAlloc VirtualAlloc VirtualAlloc VirtualFree 6482->6484 6486 40132c LocalAlloc 6482->6486 6487 401821 6482->6487 6489 4017d6 6482->6489 6490 4017e7 6483->6490 6496 4015c4 6483->6496 6484->6482 6486->6482 6488 40150c VirtualFree 6487->6488 6488->6490 6492 40150c 6489->6492 6490->6478 6495 40153b 6492->6495 6493 401594 6493->6490 6494 401568 VirtualFree 6494->6495 6495->6493 6495->6494 6497 40160a 6496->6497 6498 401626 VirtualAlloc 6497->6498 6499 40163a 6497->6499 6498->6497 6498->6499 6499->6490 6500 4028d2 6501 4028da 6500->6501 6503 4028ef 6501->6503 6506 403554 6501->6506 6504 4025ac 4 API calls 6503->6504 6505 4028f4 6504->6505 6507 403566 6506->6507 6509 403578 6507->6509 6510 403604 6507->6510 6509->6501 6511 40357c 6510->6511 6512 4035aa 6511->6512 6517 4035d0 6511->6517 6518 4035b6 6511->6518 6513 4035b1 6512->6513 6514 4035b8 6512->6514 6515 403198 4 API calls 6513->6515 6516 4031b8 4 API calls 6514->6516 6515->6518 6516->6518 6519 40357c 4 API calls 6517->6519 6518->6507 6519->6518 6850 4019d3 6851 4019ba 6850->6851 6852 4019c3 RtlLeaveCriticalSection 6851->6852 6853 4019cd 6851->6853 6852->6853 5578 407ae8 SetFilePointer 5579 407b1f 5578->5579 5580 407b0f GetLastError 5578->5580 5580->5579 5581 407b18 5580->5581 5582 407908 35 API calls 5581->5582 5582->5579 6865 402be9 RaiseException 6866 402c04 6865->6866 6528 40b0ef 6529 40b061 6528->6529 6530 40b08d 6529->6530 6532 409978 9 API calls 6529->6532 6531 40b0a6 6530->6531 6535 40b0a0 RemoveDirectoryA 6530->6535 6533 40b0ba 6531->6533 6534 40b0af DestroyWindow 6531->6534 6532->6530 6536 40b0e2 6533->6536 6537 40357c 4 API calls 6533->6537 6534->6533 6535->6531 6538 40b0d8 6537->6538 6539 4025ac 4 API calls 6538->6539 6539->6536 6540 402af2 6541 402afe 6540->6541 6544 402ed0 6541->6544 6545 403154 4 API calls 6544->6545 6547 402ee0 6545->6547 6546 402b03 6547->6546 6549 402b0c 6547->6549 6550 402b25 6549->6550 6551 402b15 RaiseException 6549->6551 6550->6546 6551->6550 6871 405ff2 6873 405ff4 6871->6873 6872 406030 6875 405d90 19 API calls 6872->6875 6873->6872 6874 40602a 6873->6874 6878 406047 6873->6878 6874->6872 6876 40609c 6874->6876 6879 406043 6875->6879 6877 405e00 33 API calls 6876->6877 6877->6879 6880 40512c 19 API calls 6878->6880 6881 403198 4 API calls 6879->6881 6882 406070 6880->6882 6884 4060d6 6881->6884 6883 405e00 33 API calls 6882->6883 6883->6879 6899 402dfa 6900 402e26 6899->6900 6901 402e0d 6899->6901 6903 402ba4 6901->6903 6904 402bc9 6903->6904 6905 402bad 6903->6905 6904->6900 6906 402bb5 RaiseException 6905->6906 6906->6904 6564 40b0fd 6573 4098e8 6564->6573 6566 40b102 6567 40b128 6566->6567 6568 40b120 MessageBoxA 6566->6568 6569 403198 4 API calls 6567->6569 6568->6567 6570 40b160 6569->6570 6571 403198 4 API calls 6570->6571 6572 40b168 6571->6572 6574 4098f4 GetCurrentProcess OpenProcessToken 6573->6574 6575 40994f ExitWindowsEx 6573->6575 6576 409906 6574->6576 6577 40990a LookupPrivilegeValueA AdjustTokenPrivileges GetLastError 6574->6577 6575->6576 6576->6566 6577->6575 6577->6576 6907 409dfe 6910 409e00 6907->6910 6908 409e22 6909 409e3e CallWindowProcA 6909->6908 6910->6908 6910->6909 6582 403a80 CloseHandle 6583 403a90 6582->6583 6584 403a91 GetLastError 6582->6584 6585 404283 6586 4042c3 6585->6586 6587 403154 4 API calls 6586->6587 6588 404323 6587->6588 6911 404185 6912 4041ff 6911->6912 6913 4041cc 6912->6913 6914 403154 4 API calls 6912->6914 6915 404323 6914->6915 6589 403e87 6590 403e4c 6589->6590 6591 403e67 6590->6591 6592 403e62 6590->6592 6593 403e7b 6590->6593 6596 403e78 6591->6596 6597 402674 4 API calls 6591->6597 6595 403cc8 4 API calls 6592->6595 6594 402674 4 API calls 6593->6594 6594->6596 6595->6591 6597->6596 5357 407493 5358 407484 SetErrorMode 5357->5358 6607 403a97 6608 403aac 6607->6608 6609 403bbc GetStdHandle 6608->6609 6610 403b0e CreateFileA 6608->6610 6616 403ab2 6608->6616 6611 403c17 GetLastError 6609->6611 6617 403bba 6609->6617 6610->6611 6612 403b2c 6610->6612 6611->6616 6614 403b3b GetFileSize 6612->6614 6612->6617 6614->6611 6618 403b4e SetFilePointer 6614->6618 6615 403be7 GetFileType 6615->6616 6620 403c02 CloseHandle 6615->6620 6617->6615 6617->6616 6618->6611 6621 403b6a ReadFile 6618->6621 6620->6616 6621->6611 6622 403b8c 6621->6622 6622->6617 6623 403b9f SetFilePointer 6622->6623 6623->6611 6624 403bb0 SetEndOfFile 6623->6624 6624->6611 6624->6617 5583 40aa98 5626 4030dc 5583->5626 5585 40aaae 5629 4042e8 5585->5629 5587 40aab3 5632 404654 GetModuleHandleA GetVersion 5587->5632 5591 40aabd 5723 406a18 5591->5723 5593 40aac2 5732 409520 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 5593->5732 5600 40ab05 5760 40707c 5600->5760 5604 4031e8 18 API calls 5605 40ab23 5604->5605 5774 40795c 5605->5774 5611 407d94 InterlockedExchange 5614 40ab72 5611->5614 5612 40abb0 5794 40791c 5612->5794 5614->5612 5831 409f88 5614->5831 5615 40abd6 5616 40abf1 5615->5616 5617 409f88 18 API calls 5615->5617 5798 407ea4 5616->5798 5617->5616 5619 40ac16 5808 408f84 5619->5808 5623 40ac5c 5624 408f84 35 API calls 5623->5624 5625 40ac95 5623->5625 5624->5623 5841 403094 5626->5841 5628 4030e1 GetModuleHandleA GetCommandLineA 5628->5585 5630 403154 4 API calls 5629->5630 5631 404323 5629->5631 5630->5631 5631->5587 5633 4046a5 5632->5633 5634 404685 GetProcAddress 5632->5634 5636 4046ad GetProcAddress 5633->5636 5637 4048af GetProcAddress 5633->5637 5634->5633 5635 404696 5634->5635 5635->5633 5640 4046bc 5636->5640 5638 4048c5 GetProcAddress 5637->5638 5639 4048be 5637->5639 5642 4048d4 SetProcessDEPPolicy 5638->5642 5643 4048d8 5638->5643 5639->5638 5842 4045a0 GetSystemDirectoryA 5640->5842 5642->5643 5645 403198 4 API calls 5643->5645 5647 4048ed 5645->5647 5646 4031e8 18 API calls 5648 4046d8 5646->5648 5722 404a74 6F551CD0 5647->5722 5648->5637 5649 40470b 5648->5649 5650 4032fc 18 API calls 5648->5650 5845 40322c 5649->5845 5650->5649 5653 4032fc 18 API calls 5654 404726 5653->5654 5849 4045cc SetErrorMode 5654->5849 5657 40322c 4 API calls 5658 40473c 5657->5658 5659 4032fc 18 API calls 5658->5659 5660 404749 5659->5660 5661 4045cc 2 API calls 5660->5661 5662 404751 5661->5662 5663 40322c 4 API calls 5662->5663 5664 40475f 5663->5664 5665 4032fc 18 API calls 5664->5665 5666 40476c 5665->5666 5667 4045cc 2 API calls 5666->5667 5668 404774 5667->5668 5669 40322c 4 API calls 5668->5669 5670 404782 5669->5670 5671 4032fc 18 API calls 5670->5671 5672 40478f 5671->5672 5673 4045cc 2 API calls 5672->5673 5674 404797 5673->5674 5675 40322c 4 API calls 5674->5675 5676 4047a5 5675->5676 5677 4032fc 18 API calls 5676->5677 5678 4047b2 5677->5678 5679 4045cc 2 API calls 5678->5679 5680 4047ba 5679->5680 5681 40322c 4 API calls 5680->5681 5682 4047c8 5681->5682 5683 4032fc 18 API calls 5682->5683 5684 4047d5 5683->5684 5685 4045cc 2 API calls 5684->5685 5686 4047dd 5685->5686 5687 40322c 4 API calls 5686->5687 5688 4047eb 5687->5688 5689 4032fc 18 API calls 5688->5689 5690 4047f8 5689->5690 5691 4045cc 2 API calls 5690->5691 5692 404800 5691->5692 5693 40322c 4 API calls 5692->5693 5694 40480e 5693->5694 5695 4032fc 18 API calls 5694->5695 5696 40481b 5695->5696 5697 4045cc 2 API calls 5696->5697 5698 404823 5697->5698 5699 40322c 4 API calls 5698->5699 5700 404831 5699->5700 5701 4032fc 18 API calls 5700->5701 5702 40483e 5701->5702 5703 4045cc 2 API calls 5702->5703 5704 404846 5703->5704 5705 40322c 4 API calls 5704->5705 5706 404854 5705->5706 5707 4032fc 18 API calls 5706->5707 5708 404861 5707->5708 5709 4045cc 2 API calls 5708->5709 5710 404869 5709->5710 5711 40322c 4 API calls 5710->5711 5712 404877 5711->5712 5713 4032fc 18 API calls 5712->5713 5714 404884 5713->5714 5715 4045cc 2 API calls 5714->5715 5716 40488c 5715->5716 5717 40322c 4 API calls 5716->5717 5718 40489a 5717->5718 5719 4032fc 18 API calls 5718->5719 5720 4048a7 5719->5720 5721 4045cc 2 API calls 5720->5721 5721->5637 5722->5591 5858 4060f8 5723->5858 5733 409575 5732->5733 5938 407144 GetSystemDirectoryA 5733->5938 5737 40959c 5738 4032fc 18 API calls 5737->5738 5739 4095a9 5738->5739 5951 40741c SetErrorMode 5739->5951 5742 407700 19 API calls 5743 4095c3 5742->5743 5744 4031b8 4 API calls 5743->5744 5745 4095dd 5744->5745 5746 40a018 GetSystemInfo VirtualQuery 5745->5746 5747 40a0cc 5746->5747 5750 40a042 5746->5750 5752 409c08 5747->5752 5748 40a0ad VirtualQuery 5748->5747 5748->5750 5749 40a06c VirtualProtect 5749->5750 5750->5747 5750->5748 5750->5749 5751 40a09b VirtualProtect 5750->5751 5751->5748 5979 407020 GetCommandLineA 5752->5979 5754 409cf0 5755 4031b8 4 API calls 5754->5755 5757 409d0a 5755->5757 5756 40707c 20 API calls 5759 409c25 5756->5759 5757->5600 5824 40a128 5757->5824 5758 403454 18 API calls 5758->5759 5759->5754 5759->5756 5759->5758 5761 4070a3 GetModuleFileNameA 5760->5761 5762 4070c7 GetCommandLineA 5760->5762 5763 403278 18 API calls 5761->5763 5769 4070cc 5762->5769 5764 4070c5 5763->5764 5766 4070f4 5764->5766 5765 4070d1 5767 403198 4 API calls 5765->5767 5771 403198 4 API calls 5766->5771 5770 4070d9 5767->5770 5768 406f40 18 API calls 5768->5769 5769->5765 5769->5768 5769->5770 5772 40322c 4 API calls 5770->5772 5773 407109 5771->5773 5772->5766 5773->5604 5775 407966 5774->5775 5986 4079f2 5775->5986 5989 4079f4 5775->5989 5776 407992 5777 4079a6 5776->5777 5778 407908 35 API calls 5776->5778 5781 40a0d4 FindResourceA 5777->5781 5778->5777 5782 40a0e9 5781->5782 5783 40a0ee SizeofResource 5781->5783 5784 409f88 18 API calls 5782->5784 5785 40a100 LoadResource 5783->5785 5786 40a0fb 5783->5786 5784->5783 5788 40a113 LockResource 5785->5788 5789 40a10e 5785->5789 5787 409f88 18 API calls 5786->5787 5787->5785 5791 40a124 5788->5791 5792 40a11f 5788->5792 5790 409f88 18 API calls 5789->5790 5790->5788 5791->5611 5791->5614 5793 409f88 18 API calls 5792->5793 5793->5791 5795 407930 5794->5795 5796 407940 5795->5796 5797 407868 34 API calls 5795->5797 5796->5615 5797->5796 5799 407eb1 5798->5799 5800 405ce0 18 API calls 5799->5800 5801 407f05 5799->5801 5800->5801 5802 407d94 InterlockedExchange 5801->5802 5803 407f17 5802->5803 5804 405ce0 18 API calls 5803->5804 5805 407f2d 5803->5805 5804->5805 5806 407f70 5805->5806 5807 405ce0 18 API calls 5805->5807 5806->5619 5807->5806 5818 408ffe 5808->5818 5820 408fb5 5808->5820 5809 409049 5992 408134 5809->5992 5811 4034f0 18 API calls 5811->5820 5812 409060 5814 4031b8 4 API calls 5812->5814 5813 4034f0 18 API calls 5813->5818 5816 40907a 5814->5816 5815 403420 18 API calls 5815->5820 5838 405070 5816->5838 5817 4031e8 18 API calls 5817->5820 5818->5809 5818->5813 5819 4031e8 18 API calls 5818->5819 5821 403420 18 API calls 5818->5821 5823 408134 35 API calls 5818->5823 5819->5818 5820->5811 5820->5815 5820->5817 5820->5818 5822 408134 35 API calls 5820->5822 5821->5818 5822->5820 5823->5818 5825 40322c 4 API calls 5824->5825 5826 40a14b 5825->5826 5827 40a15a MessageBoxA 5826->5827 5828 40a16f 5827->5828 5829 403198 4 API calls 5828->5829 5830 40a177 5829->5830 5830->5600 5832 409f91 5831->5832 5833 409fa9 5831->5833 5835 405ce0 18 API calls 5832->5835 5834 405ce0 18 API calls 5833->5834 5836 409fba 5834->5836 5837 409fa3 5835->5837 5836->5612 5837->5612 5839 402594 18 API calls 5838->5839 5840 40507b 5839->5840 5840->5623 5841->5628 5853 40458c 5842->5853 5847 403230 5845->5847 5846 403252 5846->5653 5847->5846 5848 4025ac 4 API calls 5847->5848 5848->5846 5856 403414 5849->5856 5852 40461e 5852->5657 5854 4032c4 18 API calls 5853->5854 5855 40459b 5854->5855 5855->5646 5857 403418 LoadLibraryA 5856->5857 5857->5852 5859 405d90 19 API calls 5858->5859 5860 406109 5859->5860 5861 4056d0 GetSystemDefaultLCID 5860->5861 5863 405706 5861->5863 5862 40512c 19 API calls 5862->5863 5863->5862 5864 40565c 19 API calls 5863->5864 5865 4031e8 18 API calls 5863->5865 5867 405768 5863->5867 5864->5863 5865->5863 5866 40512c 19 API calls 5866->5867 5867->5866 5868 40565c 19 API calls 5867->5868 5869 4031e8 18 API calls 5867->5869 5870 4057eb 5867->5870 5868->5867 5869->5867 5871 4031b8 4 API calls 5870->5871 5872 405805 5871->5872 5873 405814 GetSystemDefaultLCID 5872->5873 5930 40565c GetLocaleInfoA 5873->5930 5876 4031e8 18 API calls 5877 405854 5876->5877 5878 40565c 19 API calls 5877->5878 5879 405869 5878->5879 5880 40565c 19 API calls 5879->5880 5881 40588d 5880->5881 5936 4056a8 GetLocaleInfoA 5881->5936 5884 4056a8 GetLocaleInfoA 5885 4058bd 5884->5885 5886 40565c 19 API calls 5885->5886 5887 4058d7 5886->5887 5888 4056a8 GetLocaleInfoA 5887->5888 5889 4058f4 5888->5889 5890 40565c 19 API calls 5889->5890 5891 40590e 5890->5891 5892 4031e8 18 API calls 5891->5892 5893 40591b 5892->5893 5894 40565c 19 API calls 5893->5894 5895 405930 5894->5895 5896 4031e8 18 API calls 5895->5896 5897 40593d 5896->5897 5898 4056a8 GetLocaleInfoA 5897->5898 5899 40594b 5898->5899 5900 40565c 19 API calls 5899->5900 5901 405965 5900->5901 5902 4031e8 18 API calls 5901->5902 5903 405972 5902->5903 5904 40565c 19 API calls 5903->5904 5905 405987 5904->5905 5906 4031e8 18 API calls 5905->5906 5907 405994 5906->5907 5908 40565c 19 API calls 5907->5908 5909 4059a9 5908->5909 5910 4059c6 5909->5910 5911 4059b7 5909->5911 5913 40322c 4 API calls 5910->5913 5912 40322c 4 API calls 5911->5912 5914 4059c4 5912->5914 5913->5914 5915 40565c 19 API calls 5914->5915 5916 4059e8 5915->5916 5917 405a05 5916->5917 5918 4059f6 5916->5918 5920 403198 4 API calls 5917->5920 5919 40322c 4 API calls 5918->5919 5921 405a03 5919->5921 5920->5921 5922 4033b4 18 API calls 5921->5922 5923 405a27 5922->5923 5924 4033b4 18 API calls 5923->5924 5925 405a41 5924->5925 5926 4031b8 4 API calls 5925->5926 5927 405a5b 5926->5927 5928 406144 GetVersionExA 5927->5928 5929 40615b 5928->5929 5929->5593 5931 405683 5930->5931 5932 405695 5930->5932 5933 403278 18 API calls 5931->5933 5934 40322c 4 API calls 5932->5934 5935 405693 5933->5935 5934->5935 5935->5876 5937 4056c4 5936->5937 5937->5884 5955 405230 5938->5955 5941 406a88 5942 406a92 5941->5942 5943 406ab5 5941->5943 5958 406da0 5942->5958 5944 40322c 4 API calls 5943->5944 5946 406abe 5944->5946 5946->5737 5947 406a99 5947->5943 5948 406aa4 5947->5948 5963 403340 5948->5963 5950 406ab2 5950->5737 5952 403414 5951->5952 5953 407454 LoadLibraryA 5952->5953 5954 40746a 5953->5954 5954->5742 5956 4032c4 18 API calls 5955->5956 5957 40523f 5956->5957 5957->5941 5959 406da7 5958->5959 5960 406dab 5958->5960 5959->5947 5978 406dc0 CharPrevA 5960->5978 5962 406dbc 5962->5947 5964 403344 5963->5964 5965 4033a5 5963->5965 5966 4031e8 5964->5966 5967 40334c 5964->5967 5971 403254 18 API calls 5966->5971 5973 4031fc 5966->5973 5967->5965 5968 40335b 5967->5968 5972 4031e8 18 API calls 5967->5972 5970 403254 18 API calls 5968->5970 5969 403228 5969->5950 5975 403375 5970->5975 5971->5973 5972->5968 5973->5969 5974 4025ac 4 API calls 5973->5974 5974->5969 5976 4031e8 18 API calls 5975->5976 5977 4033a1 5976->5977 5977->5950 5978->5962 5980 406f40 18 API calls 5979->5980 5981 407043 5980->5981 5982 406f40 18 API calls 5981->5982 5983 407055 5981->5983 5982->5981 5984 403198 4 API calls 5983->5984 5985 40706a 5984->5985 5985->5759 5987 4079f4 5986->5987 5988 407a33 CreateFileA 5987->5988 5988->5776 5990 403414 5989->5990 5991 407a33 CreateFileA 5990->5991 5991->5776 5993 40814f 5992->5993 5997 408144 5992->5997 5998 4080d8 5993->5998 5996 405ce0 18 API calls 5996->5997 5997->5812 5999 40812b 5998->5999 6000 4080ec 5998->6000 5999->5996 5999->5997 6000->5999 6002 408028 6000->6002 6003 408033 6002->6003 6004 408044 6002->6004 6005 405ce0 18 API calls 6003->6005 6006 40791c 34 API calls 6004->6006 6005->6004 6007 408058 6006->6007 6008 40791c 34 API calls 6007->6008 6009 408079 6008->6009 6010 407d94 InterlockedExchange 6009->6010 6011 40808e 6010->6011 6012 4080a4 6011->6012 6013 405ce0 18 API calls 6011->6013 6012->6000 6013->6012 6625 40949a 6626 40948c 6625->6626 6627 409428 Wow64RevertWow64FsRedirection 6626->6627 6628 409494 6627->6628 6629 40949c SetLastError 6630 4094a5 6629->6630 6014 407aa8 ReadFile 6015 407ac8 6014->6015 6016 407adf 6014->6016 6017 407ad8 6015->6017 6018 407ace GetLastError 6015->6018 6019 407908 35 API calls 6017->6019 6018->6016 6018->6017 6019->6016 6631 402caa 6632 403154 4 API calls 6631->6632 6633 402caf 6632->6633 6934 4075aa 6935 407594 6934->6935 6936 403198 4 API calls 6935->6936 6937 40759c 6936->6937 6938 403198 4 API calls 6937->6938 6939 4075a4 6938->6939 6634 4028ac 6635 402594 18 API calls 6634->6635 6636 4028b6 6635->6636 6940 4093ac 6943 409278 6940->6943 6944 409281 6943->6944 6945 403198 4 API calls 6944->6945 6946 40928f 6944->6946 6945->6944 6947 4055b0 6948 4055c3 6947->6948 6949 4052a8 33 API calls 6948->6949 6950 4055d7 6949->6950 6637 40acb4 6638 40acd9 6637->6638 6639 409ddc 29 API calls 6638->6639 6642 40acde 6639->6642 6640 40ad31 6671 4026c4 GetSystemTime 6640->6671 6642->6640 6645 409254 18 API calls 6642->6645 6643 40ad36 6644 4097d0 46 API calls 6643->6644 6646 40ad3e 6644->6646 6647 40ad0d 6645->6647 6648 4031e8 18 API calls 6646->6648 6651 40ad15 MessageBoxA 6647->6651 6649 40ad4b 6648->6649 6650 406d78 19 API calls 6649->6650 6652 40ad58 6650->6652 6651->6640 6653 40ad22 6651->6653 6654 406b10 19 API calls 6652->6654 6655 405cb4 19 API calls 6653->6655 6656 40ad68 6654->6656 6655->6640 6657 406a88 19 API calls 6656->6657 6658 40ad79 6657->6658 6659 403340 18 API calls 6658->6659 6660 40ad87 6659->6660 6661 4031e8 18 API calls 6660->6661 6662 40ad97 6661->6662 6663 40795c 37 API calls 6662->6663 6664 40add6 6663->6664 6665 402594 18 API calls 6664->6665 6666 40adf6 6665->6666 6667 407ea4 19 API calls 6666->6667 6668 40ae38 6667->6668 6669 408134 35 API calls 6668->6669 6670 40ae5f 6669->6670 6671->6643 6672 401ab9 6673 401a96 6672->6673 6674 401aa9 RtlDeleteCriticalSection 6673->6674 6675 401a9f RtlLeaveCriticalSection 6673->6675 6675->6674

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00404654 Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 174libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 0040466F
                                                                                                                                                                                                            • GetVersion.KERNEL32(kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 00404676
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040468B
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004046B3
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004048B5
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004048CB
                                                                                                                                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,004048EE,?,?,?,?,00000000,?,0040AAB8), ref: 004048D6
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$HandleModulePolicyProcessVersion
                                                                                                                                                                                                            • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                                                                                                                                                                            • API String ID: 3297890031-2388063882
                                                                                                                                                                                                            • Opcode ID: 6206738d1768993a266272c574535deacfcb651ff371490375f42cd1ba234e07
                                                                                                                                                                                                            • Instruction ID: 9e7baa03e94b680687c531d55c537e9110a8ac934c54f9465d7227ec1282235b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6206738d1768993a266272c574535deacfcb651ff371490375f42cd1ba234e07
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2611070600149AFDB00FBF6DA8398E77A99F80309B2045BBA604772D6D778EF059B5D
                                                                                                                                                                                                            Function 0040A018 Relevance: 7.6, APIs: 5, Instructions: 78memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 230 40a018-40a03c GetSystemInfo VirtualQuery 231 40a042 230->231 232 40a0cc-40a0d3 230->232 233 40a0c1-40a0c6 231->233 233->232 234 40a044-40a04b 233->234 235 40a0ad-40a0bf VirtualQuery 234->235 236 40a04d-40a051 234->236 235->232 235->233 236->235 237 40a053-40a05b 236->237 238 40a06c-40a07d VirtualProtect 237->238 239 40a05d-40a060 237->239 241 40a081-40a083 238->241 242 40a07f 238->242 239->238 240 40a062-40a065 239->240 240->238 243 40a067-40a06a 240->243 244 40a092-40a095 241->244 242->241 243->238 243->241 245 40a085-40a08e call 40a010 244->245 246 40a097-40a099 244->246 245->244 246->235 248 40a09b-40a0a8 VirtualProtect 246->248 248->235
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemInfo.KERNEL32(?), ref: 0040A02A
                                                                                                                                                                                                            • VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 0040A035
                                                                                                                                                                                                            • VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A076
                                                                                                                                                                                                            • VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 0040A0A8
                                                                                                                                                                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 0040A0B8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Virtual$ProtectQuery$InfoSystem
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2441996862-0
                                                                                                                                                                                                            • Opcode ID: 9ac3e84cebc6f461d525c38fea5a33ab6cb0156132446b09103c7350edb016b4
                                                                                                                                                                                                            • Instruction ID: f5309bbdda193f62b4be3c179e768a57e3f3f612c04de257546ab44ee606f1f6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ac3e84cebc6f461d525c38fea5a33ab6cb0156132446b09103c7350edb016b4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 142190B1240308ABD6309E69CC85F5777D8DF85354F08493AFAC5E33C2D63DE860866A
                                                                                                                                                                                                            Function 0040565C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2299586839-0
                                                                                                                                                                                                            • Opcode ID: 7459d56e7c64c485d498697c6eb088ce7aaa21e11ea95b6c07db09bb75ef8263
                                                                                                                                                                                                            • Instruction ID: d14b50eaf9df709ed1cf3d56deeb77a2084f63d122e7671578114c6bad5e918b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7459d56e7c64c485d498697c6eb088ce7aaa21e11ea95b6c07db09bb75ef8263
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68E0D87170021427D711A9699C86EFB735CDB58314F4006BFB909E73C6EDB59E8046ED
                                                                                                                                                                                                            Function 00409520 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE,?,?,?,?,00000000,00000000,?,0040AACC), ref: 00409542
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409548
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE,?,?,?,?,00000000,00000000,?,0040AACC), ref: 0040955C
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00409562
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                                                                                                                            • API String ID: 1646373207-2130885113
                                                                                                                                                                                                            • Opcode ID: 9711803e7e97600f978dac47126909fe1692835b2a3da83a2610dda9fb37f9b7
                                                                                                                                                                                                            • Instruction ID: 3d1781b746021e9606986d5b6d55f7cbde73f6a932e0ba52378b2443c6d91f24
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9711803e7e97600f978dac47126909fe1692835b2a3da83a2610dda9fb37f9b7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 79115470908244BEDB01FBA2CD43B5A7B68D784744F204477F501762D3DA7D5E08DA2D
                                                                                                                                                                                                            Function 0040AF57 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 106COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00409AE8: GetLastError.KERNEL32(00000000,00409B8B), ref: 00409B0C
                                                                                                                                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AF9E
                                                                                                                                                                                                            • SetWindowLongA.USER32(000104F4,000000FC,Function_00009E00), ref: 0040AFB5
                                                                                                                                                                                                              • Part of subcall function 00406FCC: GetCommandLineA.KERNEL32(00000000,00407010,?,?,?,?,00000000), ref: 00406FE4
                                                                                                                                                                                                              • Part of subcall function 00409E8C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
                                                                                                                                                                                                              • Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
                                                                                                                                                                                                              • Part of subcall function 00409E8C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
                                                                                                                                                                                                              • Part of subcall function 00409E8C: GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
                                                                                                                                                                                                              • Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44
                                                                                                                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
                                                                                                                                                                                                            • DestroyWindow.USER32(000104F4,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryErrorExitLastLineLongMultipleObjectsRemoveWait
                                                                                                                                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                                                                                                                            • API String ID: 849423697-3001827809
                                                                                                                                                                                                            • Opcode ID: 08113ef3ce2da518920d8c13058acc363925f6704d668fbfbfd076efd3cb2295
                                                                                                                                                                                                            • Instruction ID: d96ad4f456555d006dfdd6a111ba55fa130d32b67bbf9cfe256734ebf9c0f5f1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08113ef3ce2da518920d8c13058acc363925f6704d668fbfbfd076efd3cb2295
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95413070A006449BD711EBE9EE85B9A77E4EB58304F10427BF514BB2E1C7B89C49CB9C
                                                                                                                                                                                                            Function 0040AF42 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040AF9E
                                                                                                                                                                                                            • SetWindowLongA.USER32(000104F4,000000FC,Function_00009E00), ref: 0040AFB5
                                                                                                                                                                                                              • Part of subcall function 00406FCC: GetCommandLineA.KERNEL32(00000000,00407010,?,?,?,?,00000000), ref: 00406FE4
                                                                                                                                                                                                              • Part of subcall function 00409E8C: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
                                                                                                                                                                                                              • Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
                                                                                                                                                                                                              • Part of subcall function 00409E8C: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
                                                                                                                                                                                                              • Part of subcall function 00409E8C: GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
                                                                                                                                                                                                              • Part of subcall function 00409E8C: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44
                                                                                                                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
                                                                                                                                                                                                            • DestroyWindow.USER32(000104F4,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                                                                                                                                                                            • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                                                                                                                                                                                            • API String ID: 3586484885-3001827809
                                                                                                                                                                                                            • Opcode ID: 3e82f52e343573e9ee8ccf82fbc097b32b2466bbbc9497f93a956efcdcfa5545
                                                                                                                                                                                                            • Instruction ID: 22e85acea042a1c9b241f29fbd05952515ad99a43a6683ef4ce3977848861488
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3e82f52e343573e9ee8ccf82fbc097b32b2466bbbc9497f93a956efcdcfa5545
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00410971A006049BD710EBE9EE85BAA77A4EB58304F10427AF514BB2E1D7789C48CB9C
                                                                                                                                                                                                            Function 00409E8C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000,00409F5F), ref: 00409EFC
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78,00000000), ref: 00409F10
                                                                                                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409F29
                                                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(?), ref: 00409F3B
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409F84,?,00409F78), ref: 00409F44
                                                                                                                                                                                                              • Part of subcall function 00409AE8: GetLastError.KERNEL32(00000000,00409B8B), ref: 00409B0C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 3356880605-2746444292
                                                                                                                                                                                                            • Opcode ID: 7df226d52587f770460e981b15b5d19bc6ab37567cde566df4420800d0169a2d
                                                                                                                                                                                                            • Instruction ID: c83664c5db2498e28503e3c1fa1a9009394fa647db11d74ebe1f458a85c7f7ae
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7df226d52587f770460e981b15b5d19bc6ab37567cde566df4420800d0169a2d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 19113DB16042096ADB00EBE6CC42F9EB7ACEF89714F50017AB604F72C6DA789D048669
                                                                                                                                                                                                            Function 004019DC Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 211 4019dc-4019e7 212 401abb-401abd 211->212 213 4019ed-401a02 211->213 214 401a04-401a09 RtlEnterCriticalSection 213->214 215 401a0e-401a2d LocalFree 213->215 214->215 216 401a41-401a47 215->216 217 401a49-401a6e call 4012dc * 3 216->217 218 401a2f-401a3f VirtualFree 216->218 225 401a70-401a85 LocalFree 217->225 226 401a87-401a9d 217->226 218->216 225->225 225->226 228 401aa9-401ab3 RtlDeleteCriticalSection 226->228 229 401a9f-401aa4 RtlLeaveCriticalSection 226->229 229->228
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00401AB4), ref: 00401A09
                                                                                                                                                                                                            • LocalFree.KERNEL32(00000000,00000000,00401AB4), ref: 00401A1B
                                                                                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A3A
                                                                                                                                                                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401AB4), ref: 00401A79
                                                                                                                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AA4
                                                                                                                                                                                                            • RtlDeleteCriticalSection.KERNEL32(0040D41C,00401ABB), ref: 00401AAE
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3782394904-0
                                                                                                                                                                                                            • Opcode ID: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
                                                                                                                                                                                                            • Instruction ID: 2a1e8c518b16d72ac75c21d19d034316e64e92064156904d4596c6339aa50fda
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 15ada844baba389fd7ade49cb76aeb00e47773f80fc89bec03b8d509a4e9cc02
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 65114274B422805ADB11EBE99EC6F5276689785708F44407FF448B62F2C67CA848CB6D
                                                                                                                                                                                                            Function 0040ACB4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117windowCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD18
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                            • String ID: .tmp$@z@$d~@
                                                                                                                                                                                                            • API String ID: 2030045667-2080866987
                                                                                                                                                                                                            • Opcode ID: 2b85bf55d00087c4ee4d3d53e5bb2d438756d7f2ac1061807f4f56549d36f6d1
                                                                                                                                                                                                            • Instruction ID: dd76c9251985b1ff4450233ddc9785193850427026a6d5c0e90a1b5537d094b7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b85bf55d00087c4ee4d3d53e5bb2d438756d7f2ac1061807f4f56549d36f6d1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4B419570A046009FD705EFA5DE91A2A77A5EB59304B11447BF804BB7E1CA79AC04CB9D
                                                                                                                                                                                                            Function 0040ACCF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113windowCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 0040AD18
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                            • String ID: .tmp$@z@$d~@
                                                                                                                                                                                                            • API String ID: 2030045667-2080866987
                                                                                                                                                                                                            • Opcode ID: 81bdbc4c120031e8217955485f9b4631603aba5f155e491865d52178ba1ca84f
                                                                                                                                                                                                            • Instruction ID: bf9d77eae5c07405b3109107b1835c74e23881a639ebcc62aff07684a9841850
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 81bdbc4c120031e8217955485f9b4631603aba5f155e491865d52178ba1ca84f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BF419570B006019FD705EFA5DE92A6A77A5EB59304B10447BF804BB7E1CBB9AC04CB9D
                                                                                                                                                                                                            Function 00403D02 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 345 403d02-403d10 346 403d12-403d19 345->346 347 403d29-403d30 345->347 348 403ddf-403de5 ExitProcess 346->348 349 403d1f 346->349 350 403d32-403d3c 347->350 351 403d3e-403d45 347->351 349->347 352 403d21-403d23 349->352 350->347 353 403d47-403d51 351->353 354 403db8-403dcc call 403cc8 * 2 call 4019dc 351->354 352->347 355 403dea-403e19 call 4030b4 352->355 358 403d56-403d62 353->358 371 403dd1-403dd8 354->371 358->358 361 403d64-403d6e 358->361 362 403d73-403d84 361->362 362->362 365 403d86-403d8d 362->365 367 403da4-403db3 call 403fe4 call 403f67 365->367 368 403d8f-403da2 MessageBoxA 365->368 367->354 368->354 371->355 373 403dda call 4030b4 371->373 373->348
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00403DE5
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitMessageProcess
                                                                                                                                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                                                                                                                                            • API String ID: 1220098344-2970929446
                                                                                                                                                                                                            • Opcode ID: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
                                                                                                                                                                                                            • Instruction ID: 19c161ad1fd1f445befe0ff666437f64548d8e35ccd3b0abec794ae5707e41c3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 06c1af3a807ed13e53e556f1551eab319716f56e5b0a099a7904d38b73613604
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0421C834E152418AE714EFE59A817153E989B5930DF04817BD504B73E3C67C9A4EC36E
                                                                                                                                                                                                            Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 376 401918-40193a RtlInitializeCriticalSection 377 401946-40197c call 4012dc * 3 LocalAlloc 376->377 378 40193c-401941 RtlEnterCriticalSection 376->378 385 4019ad-4019c1 377->385 386 40197e 377->386 378->377 390 4019c3-4019c8 RtlLeaveCriticalSection 385->390 391 4019cd 385->391 387 401983-401995 386->387 387->387 389 401997-4019a6 387->389 389->385 390->391
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                                                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                                                                                                                            • RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 730355536-0
                                                                                                                                                                                                            • Opcode ID: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
                                                                                                                                                                                                            • Instruction ID: ca3d82fa79822ebb621977d4c6345e30539334a4bf25a92a69ec079a2ec9ab95
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8414f493d6facd55d67710fc415b07d88c3ef9d9c2abb5a5bebd487d02bb0f40
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F20192B4E442405EE715ABFA9A56B253BA4D789704F1080BFF044F72F2C67C6458C75D
                                                                                                                                                                                                            Function 004097D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,004098BF,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409816
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,004098BF,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040981F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                            • String ID: .tmp
                                                                                                                                                                                                            • API String ID: 1375471231-2986845003
                                                                                                                                                                                                            • Opcode ID: bcfdd319b68c6234bb3b3c2b6e0791bb6992f3f2d01426f3b13c32e67b0b1ca6
                                                                                                                                                                                                            • Instruction ID: 48b9f2fdce89366346d31e95a36bae064327856a755920fc8e2ea7d65379a348
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bcfdd319b68c6234bb3b3c2b6e0791bb6992f3f2d01426f3b13c32e67b0b1ca6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 23211575A10208ABDB05FFE5C8529DFB7B9EB48304F10457BE901B73C2DA789E05CAA5
                                                                                                                                                                                                            Function 00409978 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 487 409978-409989 488 4099d2-4099d7 487->488 489 40998b-40998c 487->489 490 40998e-409991 489->490 491 409993-40999c Sleep 490->491 492 40999e-4099a1 490->492 493 4099ac-4099b1 call 409438 491->493 492->493 494 4099a3-4099a7 Sleep 492->494 496 4099b6-4099b8 493->496 494->493 496->488 497 4099ba-4099c2 GetLastError 496->497 497->488 498 4099c4-4099cc GetLastError 497->498 498->488 499 4099ce-4099d0 498->499 499->488 499->490
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLastSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1458359878-0
                                                                                                                                                                                                            • Opcode ID: 1c248293a53693e5016b31d34f136ae5d975e0b827204b722e02cf7f87de802c
                                                                                                                                                                                                            • Instruction ID: 55ccdd2d2ee1bdbcd31af2ea42c7aee1c1b219f05c386506858fe4dd166fe014
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c248293a53693e5016b31d34f136ae5d975e0b827204b722e02cf7f87de802c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6AF090B2A0511856CA25A6AE9881B6FB28CEAC0368714413FFA44F7383D43DDC0152BA
                                                                                                                                                                                                            Function 00401FD4 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 500 401fd4-401fe6 501 401fe8 call 401918 500->501 502 401ffb-402010 500->502 506 401fed-401fef 501->506 504 402012-402017 RtlEnterCriticalSection 502->504 505 40201c-402025 502->505 504->505 507 402027 505->507 508 40202c-402032 505->508 506->502 509 401ff1-401ff6 506->509 507->508 510 402038-40203c 508->510 511 4020cb-4020d1 508->511 512 40214f-402158 509->512 515 402041-402050 510->515 516 40203e 510->516 513 4020d3-4020e0 511->513 514 40211d-40211f call 401ee0 511->514 517 4020e2-4020ea 513->517 518 4020ef-40211b call 402f54 513->518 524 402124-40213b 514->524 515->511 519 402052-402060 515->519 516->515 517->518 518->512 522 402062-402066 519->522 523 40207c-402080 519->523 529 402068 522->529 530 40206b-40207a 522->530 526 402082 523->526 527 402085-4020a0 523->527 531 402147 524->531 532 40213d-402142 RtlLeaveCriticalSection 524->532 526->527 533 4020a2-4020c6 call 402f54 527->533 529->530 530->533 532->531 533->512
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0040D41C,00000000,00402148), ref: 00402017
                                                                                                                                                                                                              • Part of subcall function 00401918: RtlInitializeCriticalSection.KERNEL32(0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
                                                                                                                                                                                                              • Part of subcall function 00401918: RtlEnterCriticalSection.KERNEL32(0040D41C,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
                                                                                                                                                                                                              • Part of subcall function 00401918: LocalAlloc.KERNEL32(00000000,00000FF8,0040D41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
                                                                                                                                                                                                              • Part of subcall function 00401918: RtlLeaveCriticalSection.KERNEL32(0040D41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 296031713-0
                                                                                                                                                                                                            • Opcode ID: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
                                                                                                                                                                                                            • Instruction ID: 72c497f3d878e3d6a4a9583ee00a9bb41c235ef620702b970aaba137d6b92855
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f63e8093b7c21695f3c5f0f727b66ad92d47f8bd02e6a7dbcfb51ec74dbfdd03
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2341C2B2E007019FD710CFA9DE8561A7BA0EB58314B15817BD549B73E1D378A849CB48
                                                                                                                                                                                                            Function 00409438 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(00000000,00000000,00409495), ref: 0040946F
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00409495), ref: 00409477
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2018770650-0
                                                                                                                                                                                                            • Opcode ID: cef11d40a142b83803210e371880030b93b56e60c6b6d61991ebac398e5bf5ba
                                                                                                                                                                                                            • Instruction ID: 3a2bfa3924d7da3ec485a5c2eebce42195f764b2344cc107bbad9e5710e02f6c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cef11d40a142b83803210e371880030b93b56e60c6b6d61991ebac398e5bf5ba
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3EF0AF71A08608ABCB01EFB59C4159EB3A8EB8831476045BBF808F32C3E6395E018599
                                                                                                                                                                                                            Function 0040741C Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 00407426
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00407470,?,00000000,0040748E,?,00008000), ref: 00407455
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2987862817-0
                                                                                                                                                                                                            • Opcode ID: 7c3291ca482dc4e73124ef6673235b1c1e4da24983ec1cf579c69c8d77eb9c24
                                                                                                                                                                                                            • Instruction ID: f52ba4a9feec5d4d4615fe406f45eaba014741ff6d770d8a308f032ff20cb8dd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c3291ca482dc4e73124ef6673235b1c1e4da24983ec1cf579c69c8d77eb9c24
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26F08270A14708BEDB025FB68C5282ABAECE749B1475288B6F900A2AD2E53C5820C569
                                                                                                                                                                                                            Function 0040B0EF Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0A1
                                                                                                                                                                                                            • DestroyWindow.USER32(000104F4,0040B0F4,Function_00009E00,00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040B0B5
                                                                                                                                                                                                              • Part of subcall function 00409978: Sleep.KERNEL32(?), ref: 00409997
                                                                                                                                                                                                              • Part of subcall function 00409978: GetLastError.KERNEL32(?), ref: 004099BA
                                                                                                                                                                                                              • Part of subcall function 00409978: GetLastError.KERNEL32(?), ref: 004099C4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast$DestroyDirectoryRemoveSleepWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2192421792-0
                                                                                                                                                                                                            • Opcode ID: 42b787c3d9f5bd55058fd6c8f85d5fac1abeba9ca40111c3c6816528150393fb
                                                                                                                                                                                                            • Instruction ID: 80fe6e0f7824975e72fa29ef6d7a10d3d2514edd0f005a574200bdc13b2d30de
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 42b787c3d9f5bd55058fd6c8f85d5fac1abeba9ca40111c3c6816528150393fb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C9F0CD70A105009BD725ABA9EE99B2632E5E7A4305F04453AA110BB2F1C7BD9C88CA8D
                                                                                                                                                                                                            Function 00407AE8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00407B07
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00407B0F
                                                                                                                                                                                                              • Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020A03AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1156039329-0
                                                                                                                                                                                                            • Opcode ID: 1efacffe01c84972d5e79d9e95937cadebc248d177395cf3b78af7fa5ea4bab0
                                                                                                                                                                                                            • Instruction ID: 2b235249b0a7ee07bcb8c1d8603e448d3cb6330bb11491e7c51f1e2a1a123f33
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1efacffe01c84972d5e79d9e95937cadebc248d177395cf3b78af7fa5ea4bab0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13E092767081005FD610E55DC881A9B33DCDFC53A8F004537B654EB1D1D675B8008366
                                                                                                                                                                                                            Function 00407AA8 Relevance: 3.0, APIs: 2, Instructions: 30fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407ABF
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407ACE
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFileLastRead
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1948546556-0
                                                                                                                                                                                                            • Opcode ID: 62bc4757170e124d293d2e1ae2527044cf5abdc53c736f625f33b9d4ecf98daf
                                                                                                                                                                                                            • Instruction ID: e15dfe76c2c2153dd18fa5b66318eead10a3336b01bc7908bb5745e2d55223c8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62bc4757170e124d293d2e1ae2527044cf5abdc53c736f625f33b9d4ecf98daf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DAE092A17181106EEB20A65E9884F6B67DCCBC9314F04817BF508EB282D6B8DC008777
                                                                                                                                                                                                            Function 00407A40 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 00407A57
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000001), ref: 00407A63
                                                                                                                                                                                                              • Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020A03AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1156039329-0
                                                                                                                                                                                                            • Opcode ID: 0f363b337b605630cba33b2c75e34e58c088fa0b570b5e63e1fb747f55acf4b7
                                                                                                                                                                                                            • Instruction ID: b2e9c79a061d94bc6c1ac4e6a69a759f2ef78579472dc31f5d333ffaff30462c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f363b337b605630cba33b2c75e34e58c088fa0b570b5e63e1fb747f55acf4b7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C7E01AB1A002109EEB20EBB58981B5662D89B44364B048576A654DB2C6D274E800CB66
                                                                                                                                                                                                            Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
                                                                                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Virtual$AllocFree
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2087232378-0
                                                                                                                                                                                                            • Opcode ID: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
                                                                                                                                                                                                            • Instruction ID: 66c3474f10fe082fedccbde799efe3bb5b58ff080b56d2e089ed954f0af67306
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e3bf9ef34a83e5b8d51b462a41b7d68ce2248d991abf67c6f3f1ae437811ef8b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DAF02772B0032017DB2069AA0CC1B536AC59F85B90F1540BBFA4CFF3F9D2B98C0442A9
                                                                                                                                                                                                            Function 004056D0 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00405806), ref: 004056EF
                                                                                                                                                                                                              • Part of subcall function 0040512C: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00405149
                                                                                                                                                                                                              • Part of subcall function 0040565C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1658689577-0
                                                                                                                                                                                                            • Opcode ID: cc3e47e390c1b33211b3d9873ad613d49b391b3cefde462b73c2cd7d0ab13d86
                                                                                                                                                                                                            • Instruction ID: 82c784cd7830e1ca4cd44457dad2f2fa429cf4e25a926eea24d274db27b93b1b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc3e47e390c1b33211b3d9873ad613d49b391b3cefde462b73c2cd7d0ab13d86
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C1316F75E00509ABCB00EF95CC819EEB379FF84304F508577E819BB285E739AE058B98
                                                                                                                                                                                                            Function 004079F2 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A34
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: 5bc26aafbd8d3cc7e99f1b4789c5f450247a7b7967715b9db18694e2d0d8c5c5
                                                                                                                                                                                                            • Instruction ID: 042ae40820150c0b4851109f40d588701a9899a67d40570aa5757512981d293a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5bc26aafbd8d3cc7e99f1b4789c5f450247a7b7967715b9db18694e2d0d8c5c5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6FE0ED753442586EE340DAED6D81FA677DC974A714F008132B998DB382D4719D118BA8
                                                                                                                                                                                                            Function 004079F4 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00407A34
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: b99464c5deed90c436ccb8039285842caa459c4cfee6896295820f2cd2136feb
                                                                                                                                                                                                            • Instruction ID: 8ced2eed2e357b00b36525f681a949bcf9e14530d7ff6951507f50c56b932d1f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b99464c5deed90c436ccb8039285842caa459c4cfee6896295820f2cd2136feb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95E0ED753442586EE240DAED6D81F96779C974A714F008122B998DB382D4719D118BA8
                                                                                                                                                                                                            Function 00406E2C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00406E74,?,?,?,?,00000000,?,00406E89,004071E3,00000000,00407228,?,?,?), ref: 00406E57
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                                                            • Opcode ID: 8e258e6088ff2729972a65b025d9916a43b1951ab399dc39633550a2ec6328db
                                                                                                                                                                                                            • Instruction ID: 5d103c24ca312c86e291a35865c809fd23e08ae6a8f6832d02acb9ca341f4446
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e258e6088ff2729972a65b025d9916a43b1951ab399dc39633550a2ec6328db
                                                                                                                                                                                                            • Instruction Fuzzy Hash: ADE0E530300308BBD301EE72DC42D0ABBACDB89704B920476B400A26C2D5785E108068
                                                                                                                                                                                                            Function 00407B44 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407B5B
                                                                                                                                                                                                              • Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020A03AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 442123175-0
                                                                                                                                                                                                            • Opcode ID: 006c08a2f5d9871c0a1980147acda0c26795bf6e192fd3a261290223f417e960
                                                                                                                                                                                                            • Instruction ID: 30ae2be02b9f15b9cba2c15a2490e5271afae9e105f225727eb8a6e5b17a7771
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 006c08a2f5d9871c0a1980147acda0c26795bf6e192fd3a261290223f417e960
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3FE06D727081106BD710A65A98C0E5777ECCF85764F00403BB608DB281C574AC01867A
                                                                                                                                                                                                            Function 00407700 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004095C3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0040771F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FormatMessage
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1306739567-0
                                                                                                                                                                                                            • Opcode ID: b9ec76e9ce0cf7c9b11fbb0d22c3d5372d7ad8be8fd57ca1cb8678c9dba0653c
                                                                                                                                                                                                            • Instruction ID: cd8e50964804133df0be52219a4bf40107040f8cbf32d452899ff663d46cfc84
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b9ec76e9ce0cf7c9b11fbb0d22c3d5372d7ad8be8fd57ca1cb8678c9dba0653c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7CE04FB1B8830126F62519545C87F7B164E47C0B84F64403B7B50EE3D2DABEB94B429F
                                                                                                                                                                                                            Function 00407B28 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetEndOfFile.KERNEL32(?,020BBFF4,0040AEF9,00000000), ref: 00407B2F
                                                                                                                                                                                                              • Part of subcall function 00407908: GetLastError.KERNEL32(@z@,004079A6,?,?,020A03AC,?,0040AB3B,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040790B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFileLast
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 734332943-0
                                                                                                                                                                                                            • Opcode ID: 879c3aef20c26933657ab209da42f9acde188edf801b45e7798529f352953bc6
                                                                                                                                                                                                            • Instruction ID: c094c2b5ec81b014f7647aed55f46f5be6f6c9eff784118cc89584b894c57cec
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 879c3aef20c26933657ab209da42f9acde188edf801b45e7798529f352953bc6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AFC04CB1B141045BDB00A6AA85C2A1672DC5A482083404076B504DB247D678F8504755
                                                                                                                                                                                                            Function 00407477 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?,00407495), ref: 00407488
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorMode
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                                                                                            • Opcode ID: 3513d2af45e6240a0d0531d222129c39ee3681c2f506e4d79ab3159715fa7836
                                                                                                                                                                                                            • Instruction ID: fee884e8913e26ea2b20a1c4334648daa9a2c142b99fe0c27f31eb53e83e856d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3513d2af45e6240a0d0531d222129c39ee3681c2f506e4d79ab3159715fa7836
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C6B09B76A0C2006DE705DEE5645153877D4D7C47103B14877F100D65C1D93C94108519
                                                                                                                                                                                                            Function 00407493 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?,00407495), ref: 00407488
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorMode
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                                                                                            • Opcode ID: a150b1ccc28004dcf137bb0f7729195edfbe3cd1821f17504bb802deebb031e2
                                                                                                                                                                                                            • Instruction ID: c7febe38ef9f985557de65a49c8e3beabd1cb56d23a205183508381f5ecd03fa
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a150b1ccc28004dcf137bb0f7729195edfbe3cd1821f17504bb802deebb031e2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EEA022A8C08008BACE00EEE88080A3C33A82A883003C008E23200B2082C03CE000820B
                                                                                                                                                                                                            Function 00406DC0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CharPrevA.USER32(?,?,00406DBC,?,00406A99,?,?,0040959C,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004095DE), ref: 00406DC2
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CharPrev
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 122130370-0
                                                                                                                                                                                                            • Opcode ID: d44d7a6884596ca32ea416b380b4e8946229468d7e659b1743621721cd4621d4
                                                                                                                                                                                                            • Instruction ID: 95ac89871b9e49aa2ffc5daef894b278f4bc9d8aafa7dca88aae54a0e9e7edad
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d44d7a6884596ca32ea416b380b4e8946229468d7e659b1743621721cd4621d4
                                                                                                                                                                                                            • Instruction Fuzzy Hash:
                                                                                                                                                                                                            Function 0040838C Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0040841C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                            • Opcode ID: 4fb7b38294bdf3fcfaab8189c6b2d31175aea6f156bf412ec83bea8fb86574a1
                                                                                                                                                                                                            • Instruction ID: 68aadeca7c52aa1374545c41b60170f14cbd4c45bc0c673343149efe9cc76684
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4fb7b38294bdf3fcfaab8189c6b2d31175aea6f156bf412ec83bea8fb86574a1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B116D716042059BDB00EF19C981B4B37A4AF84359F04847EF998AF2C7DF78D8058B6A
                                                                                                                                                                                                            Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FreeVirtual
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1263568516-0
                                                                                                                                                                                                            • Opcode ID: ae0a35522eec5974c246f826a8cf4d5dbbbccf5172876aab042d95c32cb5ff07
                                                                                                                                                                                                            • Instruction ID: d2bd3e7102ef9204b91f8816383c595cec19663beeae75bd92b4ab4675e4226e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae0a35522eec5974c246f826a8cf4d5dbbbccf5172876aab042d95c32cb5ff07
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E401F772A042104BC310AF28DDC092A77D4DB84324F19497ED985B73A1D23B7C0587A8
                                                                                                                                                                                                            Function 004079C4 Relevance: 1.3, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                                                                                            • Opcode ID: b39bb4760bd10523e8477a282be401f25cebef3596302d631dfd489199f81fc2
                                                                                                                                                                                                            • Instruction ID: 1333f047c66b0d9688efca9d11da816c999e90cdcd736c06211d3ba452c28d9f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b39bb4760bd10523e8477a282be401f25cebef3596302d631dfd489199f81fc2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B4D0A7D1B00A6007E315F2BF498964B92C85F88655F08843BF685E73D1D67CAC00D38D
                                                                                                                                                                                                            Function 00408334 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,00408319), ref: 0040834B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FreeVirtual
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1263568516-0
                                                                                                                                                                                                            • Opcode ID: 230c808500062b5c35cb01985a317edf3050be8cd861299b6b1c2025d975cd45
                                                                                                                                                                                                            • Instruction ID: 2902acfab023b9b2f0de86f7a78627cda5d54dfc4b924a21aa22279fbea0049e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 230c808500062b5c35cb01985a317edf3050be8cd861299b6b1c2025d975cd45
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64D002B17553046FDB90EEB94DC5B0237D87B48700F14457A6E44EB2C6F775D8008B14

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 004098E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 004098F7
                                                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004098FD
                                                                                                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409916
                                                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 0040993D
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000,00000000,SeShutdownPrivilege), ref: 00409942
                                                                                                                                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 00409953
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                                                                                                            • API String ID: 107509674-3733053543
                                                                                                                                                                                                            • Opcode ID: 76c26366ab73d400da16d1d616fb3f23b1dfff142f9860e5fbeddd1887b8e56a
                                                                                                                                                                                                            • Instruction ID: c716305aa6b255ea0f8bf04b803605974c64d9a32ef9e4c16490a57abd096404
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 76c26366ab73d400da16d1d616fb3f23b1dfff142f9860e5fbeddd1887b8e56a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17F062B0284302B6E610AAB18C07F2722885B81B18F40493EB711F52C3D7BDD904866F
                                                                                                                                                                                                            Function 0040A0D4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 0040A0DE
                                                                                                                                                                                                            • SizeofResource.KERNEL32(00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132,?,00000000,0040B169), ref: 0040A0F1
                                                                                                                                                                                                            • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132,?,00000000), ref: 0040A103
                                                                                                                                                                                                            • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AB53,00000000,0040B0EA,?,00000001,00000000,00000002,00000000,0040B132), ref: 0040A114
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3473537107-0
                                                                                                                                                                                                            • Opcode ID: 5a5895066e8623d9c04d621fb25767811aface55f1ffab09d7e5ea7dbda8e6a9
                                                                                                                                                                                                            • Instruction ID: 6e0ad9993521ca4487a6dc9182c9ec88a9d7ecf9898e216691337b01ea42cf55
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a5895066e8623d9c04d621fb25767811aface55f1ffab09d7e5ea7dbda8e6a9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92E0EA9078970725EAA136E608D6B6B10884BB578EF40113ABB14B92C3DDBC8C14516E
                                                                                                                                                                                                            Function 004056A8 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058AA,?,?,?,00000000,00405A5C), ref: 004056BB
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2299586839-0
                                                                                                                                                                                                            • Opcode ID: 6c93c86b5f3b9f7a8269726404ed0fa1fa14f48feaf77c0ba1f6e5dd371dd8fd
                                                                                                                                                                                                            • Instruction ID: 0ac2273093169a9723f5a49d7def2a1a0e4efde15c2d8dcba0568209acb81ea7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c93c86b5f3b9f7a8269726404ed0fa1fa14f48feaf77c0ba1f6e5dd371dd8fd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 34D05EA631E6502AE310519B2D85EBB4EACCAC57A4F54483BF64CD7252D2248C069776
                                                                                                                                                                                                            Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemTime.KERNEL32(?), ref: 004026CE
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: SystemTime
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2656138-0
                                                                                                                                                                                                            • Opcode ID: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
                                                                                                                                                                                                            • Instruction ID: 8398a6df79db6557de4560d78939933842e781e1ed99b38cfbf2fd723ed8f470
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ed56ef6959dd8920af8b6d924cbc2bc4732ada3ba303b98172f22f33df6bd3d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3BE04F21E0010A42C704ABA5CD435FDF7AEAB95604F044172A418E92E0F631C252C748
                                                                                                                                                                                                            Function 00408888 Relevance: .5, Instructions: 545COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                                                                                                                                            • Instruction ID: 388b29b0a79f5f19ed4b4953a6a76f47c3e14b9604a8131d453ab3a085cd796f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC32E675E04219DFCB14CF99CA80A9DBBB2BF88314F24816AD855B7385DB34AE42CF54
                                                                                                                                                                                                            Function 004074A0 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,004075A5,?,00000000,00409DB8), ref: 004074C9
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004074CF
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,004075A5,?,00000000,00409DB8), ref: 0040751D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                                                                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                                                                                                                                                                            • API String ID: 4190037839-2401316094
                                                                                                                                                                                                            • Opcode ID: 7c066b870a361991bc0752fcd93cb8768e255443e349242cb7f15e42003cd7d9
                                                                                                                                                                                                            • Instruction ID: b0f7b576ff72b1c2059ac61aa9c71175e867ef76c41006bc9f97b140b7c9741a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c066b870a361991bc0752fcd93cb8768e255443e349242cb7f15e42003cd7d9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 02215470E04209BBDB00EAE5CC55ADE77A8AB44304F508877A900F36C1E77CBA01C75A
                                                                                                                                                                                                            Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
                                                                                                                                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
                                                                                                                                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
                                                                                                                                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
                                                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
                                                                                                                                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
                                                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
                                                                                                                                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
                                                                                                                                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00403C1E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1694776339-0
                                                                                                                                                                                                            • Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                                                                                                                            • Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D
                                                                                                                                                                                                            Function 00405814 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00405A5C,?,?,?,?,00000000,00000000,00000000,?,00406A3B,00000000,00406A4E), ref: 0040582E
                                                                                                                                                                                                              • Part of subcall function 0040565C: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040D4C0,00000001,?,00405727,?,00000000,00405806), ref: 0040567A
                                                                                                                                                                                                              • Part of subcall function 004056A8: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004058AA,?,?,?,00000000,00405A5C), ref: 004056BB
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                                                                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                                                                                                                            • API String ID: 1044490935-665933166
                                                                                                                                                                                                            • Opcode ID: f64dfcc9beea8e06f9a7216c135bb3ef8748e57adf0d60dccc58cc6af9805412
                                                                                                                                                                                                            • Instruction ID: 1f8fb3564ea85801462352e9f704d9e8acf1e4fd8595550e023c4eac14c4b858
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f64dfcc9beea8e06f9a7216c135bb3ef8748e57adf0d60dccc58cc6af9805412
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B513E34B006486BDB00FAA58C81A8F77A9DB99304F50857BA515BB3C6CA3DDA098F5C
                                                                                                                                                                                                            Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
                                                                                                                                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
                                                                                                                                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 262959230-0
                                                                                                                                                                                                            • Opcode ID: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
                                                                                                                                                                                                            • Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a67f2483392f3a9295a6f421ec51b00ba0520a603cf3575c2b5e933881db78c1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD
                                                                                                                                                                                                            Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,0040AAAE), ref: 004030E3
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32(00000000,0040AAAE), ref: 004030EE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CommandHandleLineModule
                                                                                                                                                                                                            • String ID: U1hd.@$X6p
                                                                                                                                                                                                            • API String ID: 2123368496-1795313739
                                                                                                                                                                                                            • Opcode ID: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
                                                                                                                                                                                                            • Instruction ID: daea45a2aa12e23edc1a75ca5ccfa9dec32d0aab9986280789c112b27ba3568a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4ac654993ecb6f0c10b1cacd39e13426f3fb1ace3b4aa0046ecf3c9b516135ec
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3AC0027894134055D764AFF69E497047594A74930DF40443FA20C7A1F1D67C460A6BDD
                                                                                                                                                                                                            Function 0040A128 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,00000000,Setup,00000010), ref: 0040A15D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si, xrefs: 0040A141
                                                                                                                                                                                                            • Setup, xrefs: 0040A14D
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000D.00000002.1889201446.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889127144.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889245870.000000000040C000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000D.00000002.1889321411.0000000000412000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_13_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Message
                                                                                                                                                                                                            • String ID: Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will install... Do you wish to continue? prompt at the beginning of Setup./SILENT, /VERYSILENTInstructs Setup to be silent or very si
                                                                                                                                                                                                            • API String ID: 2030045667-3271211647
                                                                                                                                                                                                            • Opcode ID: ff94df1eb2564fec58b9a221cc3fe3b9cf965a2b136f430670f36a0b3f2e2132
                                                                                                                                                                                                            • Instruction ID: 9b5d989b58a55d658cadae164e54e3781760331d38193a884cd145b826483737
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff94df1eb2564fec58b9a221cc3fe3b9cf965a2b136f430670f36a0b3f2e2132
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 87E065302443087EE312EA629C13F5E7BACE789B54F614477F500B55C1D6795E10D46D

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:14.6%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:4.9%
                                                                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                                                                            Total number of Limit Nodes:106
                                                                                                                                                                                                            execution_graph 50034 42f9c0 50035 42f9cb 50034->50035 50036 42f9cf NtdllDefWindowProc_A 50034->50036 50036->50035 50037 40d084 50040 407360 WriteFile 50037->50040 50041 40737d 50040->50041 50042 44b948 50043 44b956 50042->50043 50045 44b975 50042->50045 50043->50045 50046 44b82c 50043->50046 50047 44b85f 50046->50047 50057 414f38 50047->50057 50049 44b89f GetDC 50061 41a638 50049->50061 50051 44b872 50051->50049 50080 40357c 50051->50080 50054 44b8d0 50069 44b560 50054->50069 50056 44b8e4 ReleaseDC 50056->50045 50058 414f46 50057->50058 50094 4034e0 50058->50094 50060 414f53 50060->50051 50062 41a663 50061->50062 50063 41a6ff 50061->50063 50201 403520 50062->50201 50064 403400 4 API calls 50063->50064 50065 41a717 SelectObject 50064->50065 50065->50054 50067 41a6f3 CreateFontIndirectA 50067->50063 50068 41a6bb 50068->50067 50070 44b577 50069->50070 50071 44b60a 50070->50071 50072 44b5f3 50070->50072 50073 44b58a 50070->50073 50071->50056 50075 44b603 DrawTextA 50072->50075 50073->50071 50074 402648 18 API calls 50073->50074 50076 44b59b 50074->50076 50075->50071 50077 44b5b9 MultiByteToWideChar DrawTextW 50076->50077 50078 402660 4 API calls 50077->50078 50079 44b5eb 50078->50079 50079->50056 50081 403580 50080->50081 50082 4035bf 50080->50082 50083 403450 50081->50083 50084 40358a 50081->50084 50082->50049 50090 4034bc 18 API calls 50083->50090 50091 403464 50083->50091 50085 4035b4 50084->50085 50086 40359d 50084->50086 50089 4038a4 18 API calls 50085->50089 50204 4038a4 50086->50204 50088 403490 50088->50049 50093 4035a2 50089->50093 50090->50091 50091->50088 50092 402660 4 API calls 50091->50092 50092->50088 50093->50049 50099 4034bc 50094->50099 50096 4034f0 50104 403400 50096->50104 50100 4034c0 50099->50100 50101 4034dc 50099->50101 50108 402648 50100->50108 50101->50096 50105 403406 50104->50105 50106 40341f 50104->50106 50105->50106 50196 402660 50105->50196 50106->50060 50109 40264c 50108->50109 50112 402656 50108->50112 50114 402088 50109->50114 50110 402652 50110->50112 50125 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50110->50125 50112->50096 50115 40209c 50114->50115 50118 4020a1 50114->50118 50126 4019cc RtlInitializeCriticalSection 50115->50126 50117 4020c6 RtlEnterCriticalSection 50119 4020d0 50117->50119 50118->50117 50118->50119 50122 4020a5 50118->50122 50119->50122 50133 401f94 50119->50133 50122->50110 50123 4021f1 RtlLeaveCriticalSection 50124 4021fb 50123->50124 50124->50110 50125->50112 50127 4019f0 RtlEnterCriticalSection 50126->50127 50128 4019fa 50126->50128 50127->50128 50129 401a18 LocalAlloc 50128->50129 50130 401a32 50129->50130 50131 401a81 50130->50131 50132 401a77 RtlLeaveCriticalSection 50130->50132 50131->50118 50132->50131 50136 401fa4 50133->50136 50134 401fd0 50138 401ff4 50134->50138 50144 401db4 50134->50144 50136->50134 50136->50138 50139 401f0c 50136->50139 50138->50123 50138->50124 50148 40178c 50139->50148 50142 401f29 50142->50136 50145 401e02 50144->50145 50146 401dd2 50144->50146 50145->50146 50170 401d1c 50145->50170 50146->50138 50151 4017a8 50148->50151 50150 4017b2 50167 401678 VirtualAlloc 50150->50167 50151->50150 50153 40180f 50151->50153 50156 401803 50151->50156 50159 4014e4 50151->50159 50168 4013e0 LocalAlloc 50151->50168 50153->50142 50158 401e80 9 API calls 50153->50158 50155 4017be 50155->50153 50169 4015c0 VirtualFree 50156->50169 50158->50142 50160 4014f3 VirtualAlloc 50159->50160 50162 401520 50160->50162 50163 401543 50160->50163 50164 401398 LocalAlloc 50162->50164 50163->50151 50165 40152c 50164->50165 50165->50163 50166 401530 VirtualFree 50165->50166 50166->50163 50167->50155 50168->50151 50169->50153 50171 401d2e 50170->50171 50172 401d51 50171->50172 50173 401d63 50171->50173 50183 401940 50172->50183 50175 401940 3 API calls 50173->50175 50176 401d61 50175->50176 50177 401d79 50176->50177 50193 401bf8 9 API calls 50176->50193 50177->50146 50179 401d88 50180 401da2 50179->50180 50194 401c4c 9 API calls 50179->50194 50195 401454 LocalAlloc 50180->50195 50184 401966 50183->50184 50192 4019bf 50183->50192 50185 40170c VirtualFree 50184->50185 50186 401973 50185->50186 50187 4013e0 LocalAlloc 50186->50187 50188 401983 50187->50188 50189 4015c0 VirtualFree 50188->50189 50190 40199a 50188->50190 50189->50190 50190->50192 50192->50176 50193->50179 50194->50180 50195->50177 50197 402664 50196->50197 50198 40266e 50196->50198 50197->50198 50200 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50197->50200 50198->50106 50198->50198 50200->50198 50202 4034e0 18 API calls 50201->50202 50203 40352a 50202->50203 50203->50068 50205 4038b1 50204->50205 50212 4038e1 50204->50212 50207 4038da 50205->50207 50209 4038bd 50205->50209 50206 403400 4 API calls 50208 4038cb 50206->50208 50210 4034bc 18 API calls 50207->50210 50208->50093 50213 402678 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 50209->50213 50210->50212 50212->50206 50213->50208 50214 40d2cc 50215 40d2d4 50214->50215 50216 40d2fe 50215->50216 50217 40d302 50215->50217 50218 40d2f7 50215->50218 50219 40d306 50217->50219 50220 40d318 50217->50220 50227 406298 GlobalHandle GlobalUnlock GlobalFree 50218->50227 50226 40626c GlobalAlloc GlobalLock 50219->50226 50228 40627c GlobalHandle GlobalUnlock GlobalReAlloc GlobalLock 50220->50228 50224 40d314 50224->50216 50229 40910c 50224->50229 50226->50224 50227->50216 50228->50224 50231 409118 50229->50231 50237 40723c LoadStringA 50231->50237 50235 403400 4 API calls 50236 40915e 50235->50236 50236->50216 50238 4034e0 18 API calls 50237->50238 50239 407269 50238->50239 50240 403450 50239->50240 50241 403454 50240->50241 50244 403464 50240->50244 50243 4034bc 18 API calls 50241->50243 50241->50244 50242 403490 50242->50235 50243->50244 50244->50242 50245 402660 4 API calls 50244->50245 50245->50242 50246 413a8c SetWindowLongA GetWindowLongA 50247 413ae9 SetPropA SetPropA 50246->50247 50248 413acb GetWindowLongA 50246->50248 50252 41f7ec 50247->50252 50248->50247 50249 413ada SetWindowLongA 50248->50249 50249->50247 50257 42405c 50252->50257 50351 423ed4 50252->50351 50358 4156c0 50252->50358 50253 413b39 50258 424092 50257->50258 50273 4240b3 50258->50273 50365 423fb8 50258->50365 50261 42413c 50265 424143 50261->50265 50266 424177 50261->50266 50262 4240dd 50263 4240e3 50262->50263 50264 4241a0 50262->50264 50267 4240e8 50263->50267 50281 424115 50263->50281 50270 4241b2 50264->50270 50271 4241bb 50264->50271 50272 424149 50265->50272 50310 424401 50265->50310 50268 424182 50266->50268 50269 4244ea IsIconic 50266->50269 50277 424246 50267->50277 50278 4240ee 50267->50278 50279 424526 50268->50279 50280 42418b 50268->50280 50269->50273 50274 4244fe GetFocus 50269->50274 50282 4241c8 50270->50282 50283 4241b9 50270->50283 50374 4245e4 11 API calls 50271->50374 50275 424363 SendMessageA 50272->50275 50276 424157 50272->50276 50273->50253 50274->50273 50286 42450f 50274->50286 50275->50273 50276->50273 50308 424110 50276->50308 50329 4243a6 50276->50329 50387 423fd4 NtdllDefWindowProc_A 50277->50387 50287 4240f7 50278->50287 50288 42426e PostMessageA 50278->50288 50409 424ca0 WinHelpA PostMessageA 50279->50409 50291 42453d 50280->50291 50280->50308 50281->50273 50299 42412e 50281->50299 50300 42428f 50281->50300 50375 42462c IsIconic 50282->50375 50383 423fd4 NtdllDefWindowProc_A 50283->50383 50408 41f444 GetCurrentThreadId EnumThreadWindows 50286->50408 50294 424100 50287->50294 50295 4242f5 50287->50295 50393 423fd4 NtdllDefWindowProc_A 50288->50393 50297 424546 50291->50297 50298 42455b 50291->50298 50303 424109 50294->50303 50304 42421e IsIconic 50294->50304 50305 4242fe 50295->50305 50306 42432f 50295->50306 50296 424289 50296->50273 50410 424924 50297->50410 50416 42497c LocalAlloc TlsSetValue TlsGetValue TlsGetValue SendMessageA 50298->50416 50299->50308 50309 42425b 50299->50309 50369 423fd4 NtdllDefWindowProc_A 50300->50369 50302 424516 50302->50273 50314 42451e SetFocus 50302->50314 50303->50308 50315 4241e1 50303->50315 50317 42423a 50304->50317 50318 42422e 50304->50318 50395 423f64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50305->50395 50370 423fd4 NtdllDefWindowProc_A 50306->50370 50308->50273 50373 423fd4 NtdllDefWindowProc_A 50308->50373 50388 4245c8 50309->50388 50310->50273 50325 424427 IsWindowEnabled 50310->50325 50313 424295 50322 4242d3 50313->50322 50323 4242b1 50313->50323 50314->50273 50315->50273 50384 42309c ShowWindow PostMessageA PostQuitMessage 50315->50384 50386 423fd4 NtdllDefWindowProc_A 50317->50386 50385 424010 29 API calls 50318->50385 50331 423ed4 6 API calls 50322->50331 50394 423f64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50323->50394 50324 424306 50333 424318 50324->50333 50396 41f3a8 50324->50396 50325->50273 50334 424435 50325->50334 50328 424335 50335 42434d 50328->50335 50371 41f2f4 GetCurrentThreadId EnumThreadWindows 50328->50371 50329->50273 50336 4243c8 IsWindowEnabled 50329->50336 50338 4242db PostMessageA 50331->50338 50402 423fd4 NtdllDefWindowProc_A 50333->50402 50344 42443c IsWindowVisible 50334->50344 50342 423ed4 6 API calls 50335->50342 50336->50273 50343 4243d6 50336->50343 50337 4242b9 PostMessageA 50337->50273 50338->50273 50342->50273 50403 412760 21 API calls 50343->50403 50344->50273 50346 42444a GetFocus 50344->50346 50404 418630 50346->50404 50348 42445f SetFocus 50406 415690 50348->50406 50352 423f5d 50351->50352 50353 423ee4 50351->50353 50352->50253 50353->50352 50354 423eea EnumWindows 50353->50354 50354->50352 50355 423f06 GetWindow GetWindowLongA 50354->50355 50518 423e6c GetWindow 50354->50518 50356 423f25 50355->50356 50356->50352 50357 423f51 SetWindowPos 50356->50357 50357->50352 50357->50356 50359 4156cd 50358->50359 50360 415733 50359->50360 50362 415728 50359->50362 50364 415731 50359->50364 50521 424fdc 13 API calls 50360->50521 50362->50364 50522 4154ac 60 API calls 50362->50522 50364->50253 50366 423fcd 50365->50366 50367 423fc2 50365->50367 50366->50261 50366->50262 50367->50366 50417 408b70 GetSystemDefaultLCID 50367->50417 50369->50313 50370->50328 50372 41f379 50371->50372 50372->50335 50373->50273 50374->50273 50376 42463d SetActiveWindow 50375->50376 50381 424673 50375->50381 50490 423a9c 50376->50490 50380 42465a 50380->50381 50382 42466d SetFocus 50380->50382 50381->50273 50382->50381 50383->50273 50384->50273 50385->50273 50386->50273 50387->50273 50503 41df80 50388->50503 50391 4245e0 50391->50273 50392 4245d4 LoadIconA 50392->50391 50393->50296 50394->50337 50395->50324 50397 41f3b0 IsWindow 50396->50397 50398 41f3dc 50396->50398 50399 41f3ca 50397->50399 50400 41f3bf EnableWindow 50397->50400 50398->50333 50399->50397 50399->50398 50401 402660 4 API calls 50399->50401 50400->50399 50401->50399 50402->50273 50403->50273 50405 41863a 50404->50405 50405->50348 50407 4156ab SetFocus 50406->50407 50407->50273 50408->50302 50409->50296 50411 424930 50410->50411 50412 42494a 50410->50412 50413 42495f 50411->50413 50414 424937 SendMessageA 50411->50414 50415 402648 18 API calls 50412->50415 50413->50273 50414->50413 50415->50413 50416->50296 50472 4089b8 GetLocaleInfoA 50417->50472 50420 403450 18 API calls 50421 408bb0 50420->50421 50422 4089b8 19 API calls 50421->50422 50423 408bc5 50422->50423 50424 4089b8 19 API calls 50423->50424 50425 408be9 50424->50425 50478 408a04 GetLocaleInfoA 50425->50478 50428 408a04 GetLocaleInfoA 50429 408c19 50428->50429 50430 4089b8 19 API calls 50429->50430 50431 408c33 50430->50431 50432 408a04 GetLocaleInfoA 50431->50432 50433 408c50 50432->50433 50434 4089b8 19 API calls 50433->50434 50435 408c6a 50434->50435 50436 403450 18 API calls 50435->50436 50473 4089f1 50472->50473 50474 4089df 50472->50474 50476 403494 4 API calls 50473->50476 50475 4034e0 18 API calls 50474->50475 50477 4089ef 50475->50477 50476->50477 50477->50420 50479 408a20 50478->50479 50479->50428 50499 423a48 SystemParametersInfoA 50490->50499 50493 423ab5 ShowWindow 50494 423ac0 50493->50494 50495 423ac7 50493->50495 50502 423a78 SystemParametersInfoA 50494->50502 50498 423f64 LocalAlloc TlsSetValue TlsGetValue TlsGetValue SetWindowPos 50495->50498 50498->50380 50500 423a66 50499->50500 50500->50493 50501 423a78 SystemParametersInfoA 50500->50501 50501->50493 50502->50495 50506 41dfa4 50503->50506 50507 41dfb1 50506->50507 50510 41df8a 50506->50510 50507->50510 50515 40ced0 19 API calls 50507->50515 50509 41dfce 50509->50510 50511 41dfe8 50509->50511 50512 41dfdb 50509->50512 50510->50391 50510->50392 50516 41c1dc 25 API calls 50511->50516 50517 41b7d8 19 API calls 50512->50517 50515->50509 50516->50510 50517->50510 50519 423e8d GetWindowLongA 50518->50519 50520 423e99 50518->50520 50519->50520 50521->50364 50522->50364 50523 450994 50524 450a8c 50523->50524 50525 4509bf GetVersion 50523->50525 50550 403420 50524->50550 50525->50524 50527 4509d2 50525->50527 50537 450964 GetSystemDirectoryA 50527->50537 50532 4509e5 50533 40357c 18 API calls 50532->50533 50534 4509f2 50533->50534 50535 4509fa LoadLibraryA 50534->50535 50535->50524 50536 450a0e 6 API calls 50535->50536 50536->50524 50554 407934 50537->50554 50540 42c84c 50541 42c856 50540->50541 50542 42c879 50540->50542 50563 42cdcc CharPrevA 50541->50563 50544 403494 4 API calls 50542->50544 50545 42c882 50544->50545 50545->50532 50546 42c85d 50546->50542 50547 42c868 50546->50547 50564 4035c0 50547->50564 50549 42c876 50549->50532 50551 403426 50550->50551 50552 40344b 50551->50552 50553 402660 4 API calls 50551->50553 50553->50551 50557 40352c 50554->50557 50560 4034e0 50557->50560 50558 4034bc 18 API calls 50559 4034f0 50558->50559 50561 403400 4 API calls 50559->50561 50560->50558 50562 403508 50561->50562 50562->50540 50563->50546 50565 4035c4 50564->50565 50566 403625 50564->50566 50567 403450 50565->50567 50568 4035cc 50565->50568 50571 4034bc 18 API calls 50567->50571 50574 403464 50567->50574 50568->50566 50569 4035db 50568->50569 50572 403450 18 API calls 50568->50572 50573 4034bc 18 API calls 50569->50573 50570 403490 50570->50549 50571->50574 50572->50569 50576 4035f5 50573->50576 50574->50570 50575 402660 4 API calls 50574->50575 50575->50570 50577 403450 18 API calls 50576->50577 50578 403621 50577->50578 50578->50549 50579 47e054 50580 47e05f 50579->50580 50582 47e075 GetLastError 50580->50582 50583 47e0a0 50580->50583 50587 45304c 50580->50587 50582->50583 50584 47e07f GetLastError 50582->50584 50584->50583 50585 47e089 GetTickCount 50584->50585 50585->50583 50586 47e097 Sleep 50585->50586 50586->50580 50594 452e68 50587->50594 50589 453062 50590 453066 50589->50590 50591 453082 DeleteFileA GetLastError 50589->50591 50590->50580 50600 452ea4 50591->50600 50595 452e76 50594->50595 50596 452e72 50594->50596 50597 452e7f Wow64DisableWow64FsRedirection 50595->50597 50598 452e98 SetLastError 50595->50598 50596->50589 50599 452e93 50597->50599 50598->50599 50599->50589 50601 452eb3 50600->50601 50602 452ea9 Wow64RevertWow64FsRedirection 50600->50602 50601->50580 50602->50601 50603 416f92 50604 41703a 50603->50604 50605 416faa 50603->50605 50622 41576c 18 API calls 50604->50622 50607 416fc4 SendMessageA 50605->50607 50608 416fb8 50605->50608 50618 417018 50607->50618 50609 416fc2 CallWindowProcA 50608->50609 50610 416fde 50608->50610 50609->50618 50619 41a4a8 GetSysColor 50610->50619 50613 416fe9 SetTextColor 50614 416ffe 50613->50614 50620 41a4a8 GetSysColor 50614->50620 50616 417003 SetBkColor 50621 41ab30 GetSysColor CreateBrushIndirect 50616->50621 50619->50613 50620->50616 50621->50618 50622->50618 50623 416a94 50624 416aa1 50623->50624 50625 416afb 50623->50625 50630 4169a0 CreateWindowExA 50624->50630 50626 416aa8 SetPropA SetPropA 50626->50625 50627 416adb 50626->50627 50628 416aee SetWindowPos 50627->50628 50628->50625 50630->50626 50631 450390 50632 4503b5 50631->50632 50633 450448 50631->50633 50634 450402 50632->50634 50652 450360 GetSystemDirectoryA 50632->50652 50635 403420 4 API calls 50633->50635 50634->50633 50637 45040b 50634->50637 50636 450468 50635->50636 50639 450360 19 API calls 50637->50639 50641 45041d 50639->50641 50643 42c84c 19 API calls 50641->50643 50642 42c84c 19 API calls 50644 4503e2 50642->50644 50646 450428 50643->50646 50645 40357c 18 API calls 50644->50645 50647 4503ef 50645->50647 50648 40357c 18 API calls 50646->50648 50650 4503f7 LoadLibraryA 50647->50650 50649 450435 50648->50649 50651 45043d LoadLibraryA 50649->50651 50650->50634 50651->50633 50653 407934 18 API calls 50652->50653 50654 45038a 50653->50654 50654->50642 50655 49339c 50656 4933d6 50655->50656 50657 4933d8 50656->50657 50658 4933e2 50656->50658 50854 4094e8 MessageBeep 50657->50854 50660 49341a 50658->50660 50661 4933f1 50658->50661 50666 493429 50660->50666 50667 493452 50660->50667 50663 447498 32 API calls 50661->50663 50662 403420 4 API calls 50664 493a2e 50662->50664 50665 4933fe 50663->50665 50668 403400 4 API calls 50664->50668 50855 407000 50665->50855 50670 447498 32 API calls 50666->50670 50676 49348a 50667->50676 50677 493461 50667->50677 50671 493a36 50668->50671 50673 493436 50670->50673 50868 407050 18 API calls 50673->50868 50683 493499 50676->50683 50684 4934b2 50676->50684 50679 447498 32 API calls 50677->50679 50678 493441 50680 4477ec 19 API calls 50678->50680 50681 49346e 50679->50681 50823 4933dd 50680->50823 50869 407084 18 API calls 50681->50869 50870 4076d0 19 API calls 50683->50870 50690 4934c1 50684->50690 50691 4934e6 50684->50691 50685 493479 50687 4477ec 19 API calls 50685->50687 50687->50823 50688 4934a1 50689 4477ec 19 API calls 50688->50689 50689->50823 50692 447498 32 API calls 50690->50692 50695 49351e 50691->50695 50696 4934f5 50691->50696 50693 4934ce 50692->50693 50871 4076f8 50693->50871 50701 49352d 50695->50701 50702 493556 50695->50702 50698 447498 32 API calls 50696->50698 50697 4934d6 50874 447570 50697->50874 50700 493502 50698->50700 50883 42cc54 50700->50883 50704 447498 32 API calls 50701->50704 50709 4935a2 50702->50709 50710 493565 50702->50710 50706 49353a 50704->50706 50892 407648 22 API calls 50706->50892 50707 4477ec 19 API calls 50707->50823 50716 4935da 50709->50716 50717 4935b1 50709->50717 50712 447498 32 API calls 50710->50712 50711 493545 50713 4477ec 19 API calls 50711->50713 50714 493574 50712->50714 50713->50823 50715 447498 32 API calls 50714->50715 50718 493585 50715->50718 50723 4935e9 50716->50723 50724 493612 50716->50724 50719 447498 32 API calls 50717->50719 50893 4930a0 22 API calls 50718->50893 50721 4935be 50719->50721 50894 42ccf4 50721->50894 50722 493591 50726 4477ec 19 API calls 50722->50726 50727 447498 32 API calls 50723->50727 50732 49364a 50724->50732 50733 493621 50724->50733 50726->50823 50729 4935f6 50727->50729 50899 42cd1c 50729->50899 50730 4477ec 19 API calls 50730->50823 50739 493659 50732->50739 50740 493682 50732->50740 50735 447498 32 API calls 50733->50735 50737 49362e 50735->50737 50736 4477ec 19 API calls 50736->50823 50907 42cd4c 19 API calls 50737->50907 50742 447498 32 API calls 50739->50742 50745 4936ba 50740->50745 50746 493691 50740->50746 50741 493639 50743 4477ec 19 API calls 50741->50743 50744 493666 50742->50744 50743->50823 50908 42cd7c 50744->50908 50753 4936c9 50745->50753 50754 493706 50745->50754 50748 447498 32 API calls 50746->50748 50750 49369e 50748->50750 50913 42cda4 50750->50913 50751 4477ec 19 API calls 50751->50823 50756 447498 32 API calls 50753->50756 50759 493758 50754->50759 50760 493715 50754->50760 50758 4936d8 50756->50758 50757 4477ec 19 API calls 50757->50823 50761 447498 32 API calls 50758->50761 50767 4937cb 50759->50767 50768 493767 50759->50768 50762 447498 32 API calls 50760->50762 50763 4936e9 50761->50763 50765 493728 50762->50765 50918 42c948 19 API calls 50763->50918 50769 447498 32 API calls 50765->50769 50766 4936f5 50770 4477ec 19 API calls 50766->50770 50775 49380a 50767->50775 50776 4937da 50767->50776 50842 447498 50768->50842 50772 493739 50769->50772 50770->50823 50919 493298 26 API calls 50772->50919 50788 493849 50775->50788 50789 493819 50775->50789 50779 447498 32 API calls 50776->50779 50778 493747 50781 4477ec 19 API calls 50778->50781 50782 4937e7 50779->50782 50780 493782 50781->50823 50786 45304c 5 API calls 50782->50786 50791 4937f4 50786->50791 50797 493888 50788->50797 50798 493858 50788->50798 50790 447498 32 API calls 50789->50790 50793 493826 50790->50793 50794 447570 19 API calls 50791->50794 50920 452eb4 50793->50920 50794->50823 50805 4938d0 50797->50805 50806 493897 50797->50806 50801 447498 32 API calls 50798->50801 50800 493833 50803 447570 19 API calls 50800->50803 50804 493865 50801->50804 50803->50823 50927 453554 50804->50927 50813 493918 50805->50813 50814 4938df 50805->50814 50808 447498 32 API calls 50806->50808 50810 4938a6 50808->50810 50809 493872 50812 447498 32 API calls 50810->50812 50818 4938b7 50812->50818 50819 49392b 50813->50819 50826 4939e1 50813->50826 50815 447498 32 API calls 50814->50815 50816 4938ee 50815->50816 50817 447498 32 API calls 50816->50817 50820 4938ff 50817->50820 50934 447718 19 API calls 50818->50934 50822 447498 32 API calls 50819->50822 50935 447718 19 API calls 50820->50935 50824 493958 50822->50824 50823->50662 50825 447498 32 API calls 50824->50825 50829 49396f 50825->50829 50826->50823 50938 44743c 50826->50938 50843 4474a0 50842->50843 50946 436518 50843->50946 50845 4474bf 50846 42ca58 21 API calls 50845->50846 50846->50780 50854->50823 50856 40700f 50855->50856 50857 407031 50856->50857 50858 407028 50856->50858 50974 403778 50857->50974 50859 403400 4 API calls 50858->50859 50861 40702f 50859->50861 50862 4477ec 50861->50862 50863 4477f4 50862->50863 50981 436a00 50863->50981 50866 44782e 50866->50823 50868->50678 50869->50685 50870->50688 50990 403738 50871->50990 50875 447578 50874->50875 50876 4475a2 50875->50876 50877 44758f 50875->50877 50993 4365fc VariantClear 50876->50993 50992 4365fc VariantClear 50877->50992 50880 4475a0 50881 4475ca 50880->50881 50994 40905c 18 API calls 50880->50994 50881->50823 50884 403738 50883->50884 50885 42cc77 GetFullPathNameA 50884->50885 50886 42cc83 50885->50886 50887 42cc9a 50885->50887 50886->50887 50889 42cc8b 50886->50889 50888 403494 4 API calls 50887->50888 50890 42cc98 50888->50890 50891 4034e0 18 API calls 50889->50891 50890->50707 50891->50890 50892->50711 50893->50722 50995 42cbec 50894->50995 50897 403778 18 API calls 50898 42cd15 50897->50898 50898->50730 51010 42cac4 50899->51010 50902 42cd30 50904 403400 4 API calls 50902->50904 50903 42cd39 50905 403778 18 API calls 50903->50905 50906 42cd37 50904->50906 50905->50906 50906->50736 50907->50741 50909 42cbec IsDBCSLeadByte 50908->50909 50910 42cd8c 50909->50910 50911 403778 18 API calls 50910->50911 50912 42cd9e 50911->50912 50912->50751 50914 42cbec IsDBCSLeadByte 50913->50914 50915 42cdb4 50914->50915 50916 403778 18 API calls 50915->50916 50917 42cdc5 50916->50917 50917->50757 50918->50766 50919->50778 50921 452e68 2 API calls 50920->50921 50922 452eca 50921->50922 50923 452ece 50922->50923 50924 452eec CreateDirectoryA GetLastError 50922->50924 50923->50800 50925 452ea4 Wow64RevertWow64FsRedirection 50924->50925 50926 452f12 50925->50926 50926->50800 50928 452e68 2 API calls 50927->50928 50930 45356a 50928->50930 50929 45356e 50929->50809 50930->50929 50931 45358a RemoveDirectoryA GetLastError 50930->50931 50932 452ea4 Wow64RevertWow64FsRedirection 50931->50932 50934->50823 50935->50823 50939 447440 50938->50939 51013 43643c 50939->51013 50947 436524 50946->50947 50948 436546 50946->50948 50947->50948 50968 40905c 18 API calls 50947->50968 50949 4365c9 50948->50949 50951 4365b1 50948->50951 50952 4365a5 50948->50952 50953 436599 50948->50953 50954 43658d 50948->50954 50955 4365bd 50948->50955 50973 40905c 18 API calls 50949->50973 50959 403494 4 API calls 50951->50959 50958 40352c 18 API calls 50952->50958 50957 403510 18 API calls 50953->50957 50969 403510 50954->50969 50972 4040e8 32 API calls 50955->50972 50963 4365a2 50957->50963 50964 4365ae 50958->50964 50965 4365ba 50959->50965 50962 4365da 50962->50845 50963->50845 50964->50845 50965->50845 50966 4365c6 50966->50845 50968->50948 50970 4034e0 18 API calls 50969->50970 50971 40351d 50970->50971 50971->50845 50972->50966 50973->50962 50975 4037aa 50974->50975 50976 40377d 50974->50976 50977 403400 4 API calls 50975->50977 50976->50975 50978 403791 50976->50978 50980 4037a0 50977->50980 50979 4034e0 18 API calls 50978->50979 50979->50980 50980->50861 50982 436a10 50981->50982 50985 436a14 50981->50985 50983 436a42 50982->50983 50984 436a48 50982->50984 50982->50985 50983->50985 50989 4041f8 19 API calls 50983->50989 50986 403450 18 API calls 50984->50986 50985->50866 50988 40905c 18 API calls 50985->50988 50986->50985 50988->50866 50989->50985 50991 40373c SetCurrentDirectoryA 50990->50991 50991->50697 50992->50880 50993->50880 50994->50881 51000 42cacc 50995->51000 50997 42cc4b 50997->50897 50998 42cc01 50998->50997 51007 42c894 IsDBCSLeadByte 50998->51007 51004 42cadd 51000->51004 51001 42cb41 51003 42cb3c 51001->51003 51009 42c894 IsDBCSLeadByte 51001->51009 51003->50998 51004->51001 51005 42cafb 51004->51005 51005->51003 51008 42c894 IsDBCSLeadByte 51005->51008 51007->50998 51008->51005 51009->51003 51011 42cacc IsDBCSLeadByte 51010->51011 51012 42cacb 51011->51012 51012->50902 51012->50903 51014 436445 51013->51014 51015 436467 51013->51015 51014->51015 51027 46c7d0 51028 46ca59 51027->51028 51029 46c804 51027->51029 51030 403400 4 API calls 51028->51030 51031 46c840 51029->51031 51032 46c89c 51029->51032 51033 46c87a 51029->51033 51034 46c88b 51029->51034 51035 46c858 51029->51035 51036 46c869 51029->51036 51038 46ccac 51030->51038 51031->51028 51082 4698f8 51031->51082 51343 46c760 60 API calls 51032->51343 51341 46c390 70 API calls 51033->51341 51342 46c550 82 API calls 51034->51342 51339 46c0e0 62 API calls 51035->51339 51340 46c248 57 API calls 51036->51340 51043 403400 4 API calls 51038->51043 51046 46ccb4 51043->51046 51045 46c85e 51045->51028 51045->51031 51047 46c8d8 51047->51028 51058 46c91b 51047->51058 51344 496688 51047->51344 51050 46ca3e 51093 484978 51050->51093 51051 414f38 18 API calls 51051->51058 51054 42d010 20 API calls 51054->51058 51055 46bbec 37 API calls 51055->51058 51058->51028 51058->51050 51058->51051 51058->51054 51058->51055 51059 46ca97 51058->51059 51061 403450 18 API calls 51058->51061 51073 46cb5f 51058->51073 51085 469834 51058->51085 51118 46b958 51058->51118 51267 484470 51058->51267 51379 46be9c 33 API calls 51058->51379 51125 46aba0 51059->51125 51060 46bbec 37 API calls 51060->51028 51061->51058 51063 46cafd 51064 403450 18 API calls 51063->51064 51065 46cb0d 51064->51065 51066 46cb69 51065->51066 51067 46cb19 51065->51067 51071 46cc2b 51066->51071 51186 46bbec 51066->51186 51363 458718 51067->51363 51073->51060 51083 469834 33 API calls 51082->51083 51084 469907 51083->51084 51084->51047 51086 469863 51085->51086 51090 4698a4 51086->51090 51380 407d44 51086->51380 51091 403400 4 API calls 51090->51091 51092 4698bc 51091->51092 51092->51058 51094 418630 51093->51094 51095 4849af GetForegroundWindow 51094->51095 51096 4849ba SetActiveWindow 51095->51096 51097 4849c8 51095->51097 51096->51097 51098 4849df 51097->51098 51101 4849e9 51097->51101 51400 484874 120 API calls 51098->51400 51100 4849e4 51426 4838a0 51100->51426 51102 484a15 51101->51102 51105 484aaa 51101->51105 51106 484a74 51101->51106 51102->51100 51405 45850c 51102->51405 51109 46748c 34 API calls 51105->51109 51401 46748c 51106->51401 51112 484aa8 51109->51112 51404 4802d4 57 API calls 51112->51404 51113 484b28 51116 403420 4 API calls 51113->51116 51117 484b42 51116->51117 51117->51028 51119 46b964 51118->51119 51120 46b969 51118->51120 51121 46b967 51119->51121 51578 46b3c4 51119->51578 51663 46a704 60 API calls 51120->51663 51121->51058 51123 46b971 51123->51058 51126 403400 4 API calls 51125->51126 51127 46abce 51126->51127 52031 47f004 51127->52031 51129 46ac31 51130 46ac35 51129->51130 51131 46ac4e 51129->51131 51132 46748c 34 API calls 51130->51132 51133 46ac3f 51131->51133 52038 496578 18 API calls 51131->52038 51132->51133 51135 46ad6d 51133->51135 51136 46add8 51133->51136 51185 46aee2 51133->51185 51139 403494 4 API calls 51135->51139 51140 403494 4 API calls 51136->51140 51137 403420 4 API calls 51141 46af0c 51137->51141 51138 46ac6a 51138->51133 51142 46ac72 51138->51142 51143 46ad7a 51139->51143 51144 46ade5 51140->51144 51141->51063 51145 46bbec 37 API calls 51142->51145 51146 40357c 18 API calls 51143->51146 51147 40357c 18 API calls 51144->51147 51154 46ac7f 51145->51154 51148 46ad87 51146->51148 51149 46adf2 51147->51149 51150 40357c 18 API calls 51148->51150 51151 40357c 18 API calls 51149->51151 51152 46ad94 51150->51152 51153 46adff 51151->51153 51155 40357c 18 API calls 51152->51155 51156 40357c 18 API calls 51153->51156 51157 46aca8 SetActiveWindow 51154->51157 51160 46acc0 51154->51160 51158 46ada1 51155->51158 51159 46ae0c 51156->51159 51157->51160 51161 46748c 34 API calls 51158->51161 51162 40357c 18 API calls 51159->51162 52039 42fa00 51160->52039 51163 46adaf 51161->51163 51164 46ae1a 51162->51164 51185->51137 51187 4698f8 33 API calls 51186->51187 51188 46bc17 51187->51188 51189 46bc39 51188->51189 51190 465f58 21 API calls 51188->51190 51190->51189 52329 46d0e4 51267->52329 51270 4844bc 51272 414f38 18 API calls 51270->51272 51273 4844cc 51272->51273 51274 403450 18 API calls 51273->51274 51339->51045 51340->51031 51341->51031 51342->51031 51343->51031 51345 43de68 18 API calls 51344->51345 51346 4966a9 51345->51346 51347 49673a 51346->51347 51348 4966b4 51346->51348 51349 496749 51347->51349 54380 495eb0 18 API calls 51347->54380 51350 432070 18 API calls 51348->51350 51349->51058 51352 4966c0 51350->51352 51353 4960e0 18 API calls 51352->51353 51354 4966e1 51353->51354 54372 4961f8 51354->54372 51357 43da34 32 API calls 51358 4966fe 51357->51358 54378 495f44 18 API calls 51358->54378 51360 496712 54379 434270 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51360->54379 51362 496732 51362->51058 51364 45873d 51363->51364 51365 407d44 33 API calls 51364->51365 51366 45875d 51364->51366 51367 458755 51365->51367 51368 403400 4 API calls 51366->51368 51369 45850c 38 API calls 51367->51369 51370 458772 51368->51370 51369->51366 51379->51058 51384 407d58 51380->51384 51383 453aac 18 API calls 51383->51090 51385 407d75 51384->51385 51392 407a08 51385->51392 51388 407da1 51390 4034e0 18 API calls 51388->51390 51391 407d53 51390->51391 51391->51383 51394 407a23 51392->51394 51393 407a35 51393->51388 51397 406df0 19 API calls 51393->51397 51394->51393 51398 407b2a 33 API calls 51394->51398 51399 4079fc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 51394->51399 51397->51388 51398->51394 51399->51394 51400->51100 51431 4673a0 51401->51431 51404->51102 51406 458538 51405->51406 51422 458640 51405->51422 51479 458208 GetSystemTimeAsFileTime FileTimeToSystemTime 51406->51479 51407 458691 51410 403400 4 API calls 51407->51410 51412 4586a6 51410->51412 51411 458540 51413 407d44 33 API calls 51411->51413 51412->51100 51414 4585b1 51413->51414 51480 4584fc 34 API calls 51414->51480 51416 458636 51482 4584fc 34 API calls 51416->51482 51417 458607 51417->51416 51423 403778 18 API calls 51417->51423 51418 403778 18 API calls 51420 4585b9 51418->51420 51420->51417 51420->51418 51421 4584fc 34 API calls 51420->51421 51421->51420 51422->51407 51483 457d78 20 API calls 51422->51483 51424 45862e 51423->51424 51481 4584fc 34 API calls 51424->51481 51427 4838f1 51426->51427 51428 4838c3 51426->51428 51430 483058 PostMessageA 51427->51430 51484 4965d4 51428->51484 51430->51113 51432 403494 4 API calls 51431->51432 51433 4673ce 51432->51433 51448 42e018 51433->51448 51436 42e018 19 API calls 51437 4673f2 51436->51437 51451 46728c 51437->51451 51459 42df60 51448->51459 51452 4672a6 51451->51452 51453 407d44 33 API calls 51452->51453 51454 4672e1 51453->51454 51460 42e00b 51459->51460 51462 42df80 51459->51462 51460->51436 51462->51460 51465 4037b8 51462->51465 51470 403800 51462->51470 51474 42c894 IsDBCSLeadByte 51462->51474 51475 403744 51465->51475 51467 4037fc 51467->51462 51468 4037c6 51468->51467 51469 4038a4 18 API calls 51468->51469 51469->51467 51471 40382f 51470->51471 51472 403804 51470->51472 51471->51462 51473 4038a4 18 API calls 51472->51473 51473->51471 51474->51462 51476 40374a 51475->51476 51478 40375b 51475->51478 51477 4034bc 18 API calls 51476->51477 51476->51478 51477->51478 51478->51468 51479->51411 51480->51420 51481->51416 51482->51422 51483->51407 51499 43de68 51484->51499 51487 49666d 51488 4965fd 51504 432070 51488->51504 51531 43238c 51499->51531 51501 43de92 51502 403400 4 API calls 51501->51502 51503 43df16 51502->51503 51503->51487 51503->51488 51532 403494 4 API calls 51531->51532 51534 43239b 51532->51534 51533 4323c5 51533->51501 51534->51533 51535 403744 18 API calls 51534->51535 51535->51534 51580 46b40b 51578->51580 51579 46b883 51581 46b89e 51579->51581 51582 46b8cf 51579->51582 51580->51579 51583 46b4c6 51580->51583 51587 403494 4 API calls 51580->51587 51586 403494 4 API calls 51581->51586 51584 403494 4 API calls 51582->51584 51585 46b4e7 51583->51585 51589 46b528 51583->51589 51588 46b8dd 51584->51588 51590 403494 4 API calls 51585->51590 51591 46b8ac 51586->51591 51592 46b44a 51587->51592 51685 469de0 26 API calls 51588->51685 51593 403400 4 API calls 51589->51593 51595 46b4f5 51590->51595 51684 469de0 26 API calls 51591->51684 51597 414f38 18 API calls 51592->51597 51598 46b526 51593->51598 51599 414f38 18 API calls 51595->51599 51601 46b46b 51597->51601 51620 46b60c 51598->51620 51664 46a4ec 51598->51664 51603 46b516 51599->51603 51600 46b8ba 51602 403400 4 API calls 51600->51602 51604 403634 18 API calls 51601->51604 51606 46b900 51602->51606 51608 403634 18 API calls 51603->51608 51609 46b47b 51604->51609 51613 403400 4 API calls 51606->51613 51607 46b694 51611 403400 4 API calls 51607->51611 51608->51598 51610 414f38 18 API calls 51609->51610 51614 46b48f 51610->51614 51623 46b692 51611->51623 51612 46b548 51615 46b586 51612->51615 51616 46b54e 51612->51616 51617 46b908 51613->51617 51614->51583 51622 414f38 18 API calls 51614->51622 51621 403400 4 API calls 51615->51621 51618 403494 4 API calls 51616->51618 51619 403420 4 API calls 51617->51619 51624 46b55c 51618->51624 51625 46b915 51619->51625 51620->51607 51626 46b653 51620->51626 51627 46b584 51621->51627 51628 46b4b6 51622->51628 51679 46a928 57 API calls 51623->51679 51670 47d578 51624->51670 51625->51121 51631 403494 4 API calls 51626->51631 51673 46a7e0 51627->51673 51632 403634 18 API calls 51628->51632 51635 46b661 51631->51635 51632->51583 51633 46b6bd 51641 46b71e 51633->51641 51642 46b6c8 51633->51642 51638 414f38 18 API calls 51635->51638 51639 46b682 51638->51639 51640 403634 18 API calls 51639->51640 51640->51623 51644 403400 4 API calls 51641->51644 51645 403494 4 API calls 51642->51645 51648 46b726 51644->51648 51652 46b6d6 51645->51652 51651 46b71c 51648->51651 51662 46b7cf 51648->51662 51651->51648 51680 496578 18 API calls 51651->51680 51652->51648 51652->51651 51657 403634 18 API calls 51652->51657 51654 46b749 51654->51662 51681 496824 32 API calls 51654->51681 51657->51652 51660 46b870 51682 429544 SendMessageA 51662->51682 51663->51123 51686 42a490 SendMessageA 51664->51686 51666 46a4fb 51667 46a51b 51666->51667 51687 42a490 SendMessageA 51666->51687 51667->51612 51669 46a50b 51669->51612 51688 47d5c0 51670->51688 51678 46a80d 51673->51678 51674 46a86f 51675 403400 4 API calls 51674->51675 51678->51674 52030 46a764 57 API calls 51678->52030 51679->51633 51680->51654 51681->51662 51682->51660 51684->51600 51685->51600 51686->51666 51687->51669 51689 403494 4 API calls 51688->51689 51697 47d5f3 51689->51697 52030->51678 52032 47f01d 52031->52032 52035 47f05a 52031->52035 52065 4564a8 52032->52065 52035->51129 52037 47f071 52037->51129 52038->51138 52040 42fa0c 52039->52040 52041 42fa2f GetActiveWindow GetFocus 52040->52041 52042 41f2f4 2 API calls 52041->52042 52043 42fa46 52042->52043 52044 42fa63 52043->52044 52045 42fa53 RegisterClassA 52043->52045 52046 42faf2 SetFocus 52044->52046 52047 42fa71 CreateWindowExA 52044->52047 52045->52044 52047->52046 52066 4564b9 52065->52066 52067 4564c6 52066->52067 52068 4564bd 52066->52068 52098 45628c 43 API calls 52067->52098 52090 4561ac 52068->52090 52071 4564c3 52071->52035 52072 47ec74 52071->52072 52079 47ecb4 52072->52079 52080 47ed70 52072->52080 52073 403420 4 API calls 52074 47ee53 52073->52074 52074->52037 52078 47d578 57 API calls 52078->52080 52079->52080 52082 47d578 57 API calls 52079->52082 52085 47ed13 52079->52085 52087 47ed1c 52079->52087 52129 47a9e8 52079->52129 52144 47ab64 18 API calls 52079->52144 52080->52078 52081 454868 34 API calls 52080->52081 52080->52085 52146 47a8a8 52080->52146 52081->52080 52082->52079 52083 47d578 57 API calls 52083->52087 52084 42cd7c 19 API calls 52084->52087 52085->52073 52086 42cda4 19 API calls 52086->52087 52087->52079 52087->52083 52087->52084 52087->52086 52089 47ed5d 52087->52089 52145 47e980 66 API calls 52087->52145 52089->52085 52099 42e26c 52090->52099 52092 4561c9 52093 456217 52092->52093 52102 4560e0 52092->52102 52093->52071 52098->52071 52100 42e277 52099->52100 52101 42e27d RegOpenKeyExA 52099->52101 52100->52101 52101->52092 52109 42e1a8 52102->52109 52112 42e050 52109->52112 52113 42e076 RegQueryValueExA 52112->52113 52114 42e0bb 52113->52114 52119 42e099 52113->52119 52115 403400 4 API calls 52114->52115 52117 42e187 52115->52117 52116 42e0b3 52118 403400 4 API calls 52116->52118 52118->52114 52119->52114 52119->52116 52120 4034e0 18 API calls 52119->52120 52121 403744 18 API calls 52119->52121 52120->52119 52122 42e0f0 RegQueryValueExA 52121->52122 52122->52113 52130 47a9fe 52129->52130 52131 47a9fa 52129->52131 52132 403450 18 API calls 52130->52132 52131->52079 52133 47aa0b 52132->52133 52134 403450 18 API calls 52133->52134 52135 47aa17 52134->52135 52136 47aa37 52135->52136 52137 47aa1d 52135->52137 52139 47a8a8 33 API calls 52136->52139 52138 47a8a8 33 API calls 52137->52138 52144->52079 52145->52087 52147 47a8c3 52146->52147 52149 47a8f4 52147->52149 52157 47a982 52147->52157 52164 47a75c 33 API calls 52147->52164 52151 47a919 52149->52151 52165 47a75c 33 API calls 52149->52165 52153 47a93a 52151->52153 52166 47a75c 33 API calls 52151->52166 52154 47a97a 52153->52154 52153->52157 52167 453aac 18 API calls 52153->52167 52158 47a5e0 52154->52158 52157->52080 52164->52149 52165->52151 52166->52153 52167->52154 52551 46d17c 52329->52551 52545 409030 19 API calls 52552 414f38 18 API calls 52551->52552 52553 46d1b0 52552->52553 52612 467524 52553->52612 52556 414f68 18 API calls 52557 46d1c2 52556->52557 52558 46d1d1 52557->52558 52561 46d1ea 52557->52561 52641 4802d4 57 API calls 52558->52641 52560 403420 4 API calls 52563 46d10e 52560->52563 52562 46d231 52561->52562 52564 46d218 52561->52564 52565 46d296 52562->52565 52580 46d235 52562->52580 52563->51270 52563->52545 52642 4802d4 57 API calls 52564->52642 52644 42cf9c CharNextA 52565->52644 52568 46d2a5 52569 46d2a9 52568->52569 52574 46d2c2 52568->52574 52645 4802d4 57 API calls 52569->52645 52571 46d1e5 52571->52560 52572 46d27d 52643 4802d4 57 API calls 52572->52643 52573 46d2e6 52646 4802d4 57 API calls 52573->52646 52574->52573 52621 467694 52574->52621 52580->52572 52580->52574 52616 46753e 52612->52616 52613 407000 18 API calls 52613->52616 52615 42d010 20 API calls 52615->52616 52616->52613 52616->52615 52617 403450 18 API calls 52616->52617 52618 467587 52616->52618 52657 42cefc 52616->52657 52617->52616 52619 403420 4 API calls 52618->52619 52620 4675a1 52619->52620 52620->52556 52622 46769e 52621->52622 52623 4676b1 52622->52623 52668 42cf8c CharNextA 52622->52668 52623->52573 52625 4676c4 52623->52625 52641->52571 52642->52571 52643->52571 52644->52568 52645->52571 52646->52571 52658 403494 4 API calls 52657->52658 52659 42cf0c 52658->52659 52660 403744 18 API calls 52659->52660 52664 42cf42 52659->52664 52666 42c894 IsDBCSLeadByte 52659->52666 52660->52659 52662 42cf86 52662->52616 52664->52662 52665 4037b8 18 API calls 52664->52665 52667 42c894 IsDBCSLeadByte 52664->52667 52665->52664 52666->52659 52667->52664 52668->52622 54373 496214 54372->54373 54381 43420c 54373->54381 54375 496219 54376 432140 18 API calls 54375->54376 54377 496224 54376->54377 54377->51357 54378->51360 54379->51362 54380->51349 54382 402648 18 API calls 54381->54382 54383 43421b 54382->54383 54383->54375 54385 49a490 54443 403344 54385->54443 54387 49a49e 54446 4056a0 54387->54446 54389 49a4a3 54449 4063f4 GetModuleHandleA GetVersion 54389->54449 54393 49a4ad 54540 409d9c 54393->54540 54877 4032fc 54443->54877 54445 403349 GetModuleHandleA GetCommandLineA 54445->54387 54448 4056db 54446->54448 54878 4033bc LocalAlloc TlsSetValue TlsGetValue TlsGetValue 54446->54878 54448->54389 54450 406445 54449->54450 54451 406425 GetProcAddress 54449->54451 54453 40644d GetProcAddress 54450->54453 54454 40664f GetProcAddress 54450->54454 54451->54450 54452 406436 54451->54452 54452->54450 54457 40645c 54453->54457 54455 406665 GetProcAddress 54454->54455 54456 40665e 54454->54456 54458 406674 SetProcessDEPPolicy 54455->54458 54459 406678 54455->54459 54456->54455 54879 406340 19 API calls 54457->54879 54458->54459 54463 403400 4 API calls 54459->54463 54461 40646b 54462 403450 18 API calls 54461->54462 54465 406478 54462->54465 54464 40668d 54463->54464 54539 406814 6F551CD0 54464->54539 54465->54454 54466 4064ab 54465->54466 54467 40357c 18 API calls 54465->54467 54468 403494 4 API calls 54466->54468 54467->54466 54469 4064b9 54468->54469 54470 40357c 18 API calls 54469->54470 54471 4064c6 54470->54471 54880 40636c SetErrorMode LoadLibraryA 54471->54880 54473 4064ce 54474 403494 4 API calls 54473->54474 54475 4064dc 54474->54475 54476 40357c 18 API calls 54475->54476 54477 4064e9 54476->54477 54881 40636c SetErrorMode LoadLibraryA 54477->54881 54479 4064f1 54539->54393 54892 409474 54540->54892 54545 408b70 21 API calls 54546 409dbf 54545->54546 54877->54445 54878->54448 54879->54461 54880->54473 54881->54479 54893 40910c 19 API calls 54892->54893 54894 409485 54893->54894 54895 408a2c GetSystemDefaultLCID 54894->54895 54899 408a62 54895->54899 54896 40723c 19 API calls 54896->54899 54897 4089b8 19 API calls 54897->54899 54898 403450 18 API calls 54898->54899 54899->54896 54899->54897 54899->54898 54903 408ac4 54899->54903 54900 40723c 19 API calls 54900->54903 54901 4089b8 19 API calls 54901->54903 54902 403450 18 API calls 54902->54903 54903->54900 54903->54901 54903->54902 54904 408b47 54903->54904 54905 403420 4 API calls 54904->54905 54906 408b61 54905->54906 54906->54545 56426 46f2dc 56427 46f2e7 56426->56427 56430 46f134 56427->56430 56431 46f15d 56430->56431 56432 450108 2 API calls 56431->56432 56434 46f17a 56431->56434 56432->56434 56440 46ee8c 56434->56440 56436 46f209 56438 46f1bf 56438->56436 56439 4965d4 32 API calls 56438->56439 56439->56436 56441 46ee04 2 API calls 56440->56441 56442 46ee9a 56441->56442 56442->56436 56443 496578 18 API calls 56442->56443 56443->56438 56444 499793 56445 4997a7 56444->56445 56446 42f574 18 API calls 56445->56446 56447 4997d8 56446->56447 56448 42f574 18 API calls 56447->56448 56449 4997eb 56448->56449 56450 42f574 18 API calls 56449->56450 56451 4997fe 56450->56451 56452 42f574 18 API calls 56451->56452 56453 499811 56452->56453 56454 424714 19 API calls 56453->56454 56455 499821 56454->56455 56456 42d174 GetFileAttributesA 56455->56456 56457 49982b 56456->56457 56458 49984d 56457->56458 56635 497b6c 57 API calls 56457->56635 56459 499866 56458->56459 56460 499856 56458->56460 56473 498914 56459->56473 56637 4983a0 41 API calls 56460->56637 56464 499848 56636 409030 19 API calls 56464->56636 56465 499864 56639 457a90 GetWindowLongA DestroyWindow SendMessageA 56465->56639 56467 49985b 56467->56465 56638 498538 77 API calls 56467->56638 56470 499889 56471 403400 4 API calls 56470->56471 56472 4998a8 56471->56472 56474 49893a 56473->56474 56475 498958 56474->56475 56476 498951 56474->56476 56478 498987 56475->56478 56480 498993 56475->56480 56797 47fa5c 6 API calls 56476->56797 56798 457950 48 API calls 56478->56798 56481 4989bd 56480->56481 56482 4989bf 56480->56482 56483 4989b3 56480->56483 56484 45850c 38 API calls 56481->56484 56800 4584b0 44 API calls 56482->56800 56799 4582f8 50 API calls 56483->56799 56487 498a0a 56484->56487 56488 403494 4 API calls 56487->56488 56489 498a17 56488->56489 56490 40357c 18 API calls 56489->56490 56491 498a25 56490->56491 56492 45850c 38 API calls 56491->56492 56493 498a2d 56492->56493 56635->56464 56637->56467 56638->56465 56639->56470 56797->56475 56798->56480 56799->56481 56800->56481 56970 41f2a4 56971 41f2b3 IsWindowVisible 56970->56971 56972 41f2e9 56970->56972 56971->56972 56973 41f2bd IsWindowEnabled 56971->56973 56973->56972 56974 41f2c7 56973->56974 56975 402648 18 API calls 56974->56975 56976 41f2d1 EnableWindow 56975->56976 56976->56972 56977 41ffa8 56978 41ffb1 56977->56978 56981 42024c 56978->56981 56980 41ffbe 56982 42033e 56981->56982 56983 420263 56981->56983 56982->56980 56983->56982 57002 41fe0c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 56983->57002 56985 420299 56986 4202c3 56985->56986 56987 42029d 56985->56987 57012 41fe0c GetWindowLongA GetSystemMetrics GetSystemMetrics GetWindowLongA 56986->57012 57003 41ffec 56987->57003 56991 4202d1 56993 4202d5 56991->56993 56994 4202fb 56991->56994 56992 41ffec 10 API calls 57001 4202c1 56992->57001 56995 41ffec 10 API calls 56993->56995 56996 41ffec 10 API calls 56994->56996 56997 4202e7 56995->56997 56998 42030d 56996->56998 56999 41ffec 10 API calls 56997->56999 57000 41ffec 10 API calls 56998->57000 56999->57001 57000->57001 57001->56980 57002->56985 57004 420007 57003->57004 57005 42001d 57004->57005 57006 41fd8c 4 API calls 57004->57006 57013 41fd8c 57005->57013 57006->57005 57008 420065 57009 420088 SetScrollInfo 57008->57009 57021 41feec 57009->57021 57012->56991 57014 418630 57013->57014 57015 41fda9 GetWindowLongA 57014->57015 57016 41fde6 57015->57016 57017 41fdc6 57015->57017 57033 41fd18 GetWindowLongA GetSystemMetrics GetSystemMetrics 57016->57033 57032 41fd18 GetWindowLongA GetSystemMetrics GetSystemMetrics 57017->57032 57020 41fdd2 57020->57008 57022 41fefa 57021->57022 57023 41ff02 57021->57023 57022->56992 57024 41ff3f 57023->57024 57025 41ff41 57023->57025 57026 41ff31 57023->57026 57027 41ff81 GetScrollPos 57024->57027 57035 418298 IsWindowVisible ScrollWindow SetWindowPos 57025->57035 57034 418298 IsWindowVisible ScrollWindow SetWindowPos 57026->57034 57027->57022 57030 41ff8c 57027->57030 57031 41ff9b SetScrollPos 57030->57031 57031->57022 57032->57020 57033->57020 57034->57024 57035->57024 57036 404d2a 57042 404d3a 57036->57042 57037 404e07 ExitProcess 57038 404de0 57052 404cf0 57038->57052 57041 404cf0 4 API calls 57044 404df4 57041->57044 57042->57037 57042->57038 57042->57042 57043 404e12 57042->57043 57046 404db7 MessageBoxA 57042->57046 57047 404dcc 57042->57047 57056 401a90 57044->57056 57046->57038 57068 40500c LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57047->57068 57048 404df9 57048->57037 57048->57043 57053 404cfe 57052->57053 57055 404d13 57053->57055 57069 402728 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57053->57069 57055->57041 57057 401aa1 57056->57057 57058 401b6f 57056->57058 57059 401ac2 LocalFree 57057->57059 57060 401ab8 RtlEnterCriticalSection 57057->57060 57058->57048 57061 401af5 57059->57061 57060->57059 57062 401ae3 VirtualFree 57061->57062 57063 401afd 57061->57063 57062->57061 57064 401b24 LocalFree 57063->57064 57065 401b3b 57063->57065 57064->57064 57064->57065 57066 401b53 RtlLeaveCriticalSection 57065->57066 57067 401b5d RtlDeleteCriticalSection 57065->57067 57066->57067 57067->57048 57069->57055 57070 4209e8 57071 4209fb 57070->57071 57091 415f80 57071->57091 57073 420b42 57074 420b59 57073->57074 57098 414b24 KiUserCallbackDispatcher 57073->57098 57078 420b70 57074->57078 57099 414b68 KiUserCallbackDispatcher 57074->57099 57075 420aa1 57096 420c98 34 API calls 57075->57096 57076 420a36 57076->57073 57076->57075 57084 420a92 MulDiv 57076->57084 57081 420b92 57078->57081 57100 4204b0 12 API calls 57078->57100 57082 420aba 57082->57073 57097 4204b0 12 API calls 57082->57097 57095 41a754 19 API calls 57084->57095 57087 420ad7 57088 420af3 MulDiv 57087->57088 57089 420b16 57087->57089 57088->57089 57089->57073 57090 420b1f MulDiv 57089->57090 57090->57073 57092 415f92 57091->57092 57101 4148c0 57092->57101 57094 415faa 57094->57076 57095->57075 57096->57082 57097->57087 57098->57074 57099->57078 57100->57081 57102 4148da 57101->57102 57105 4108a8 57102->57105 57104 4148f0 57104->57094 57108 40e0f4 57105->57108 57107 4108ae 57107->57104 57109 40e156 57108->57109 57110 40e107 57108->57110 57115 40e164 57109->57115 57113 40e164 33 API calls 57110->57113 57114 40e131 57113->57114 57114->57107 57116 40e174 57115->57116 57118 40e18a 57116->57118 57127 40e4ec 57116->57127 57143 40da30 57116->57143 57146 40e39c 57118->57146 57121 40e192 57122 40da30 19 API calls 57121->57122 57123 40e1fe 57121->57123 57149 40dfb0 57121->57149 57122->57121 57124 40e39c 19 API calls 57123->57124 57126 40e160 57124->57126 57126->57107 57128 40edbc 19 API calls 57127->57128 57131 40e527 57128->57131 57129 403778 18 API calls 57129->57131 57130 40e5dd 57132 40e607 57130->57132 57133 40e5f8 57130->57133 57131->57129 57131->57130 57216 40dbc4 19 API calls 57131->57216 57217 40e4d0 19 API calls 57131->57217 57213 40be74 57132->57213 57163 40e810 57133->57163 57138 40e605 57140 403400 4 API calls 57138->57140 57141 40e6ac 57140->57141 57141->57116 57144 40ee58 19 API calls 57143->57144 57145 40da3a 57144->57145 57145->57116 57250 40d90c 57146->57250 57150 40e3a4 19 API calls 57149->57150 57151 40dfe3 57150->57151 57152 40edbc 19 API calls 57151->57152 57153 40dfee 57152->57153 57154 40edbc 19 API calls 57153->57154 57155 40dff9 57154->57155 57156 40e014 57155->57156 57157 40e00b 57155->57157 57158 40e011 57155->57158 57259 40de28 57156->57259 57262 40df18 33 API calls 57157->57262 57161 403420 4 API calls 57158->57161 57162 40e0df 57161->57162 57162->57121 57164 40e846 57163->57164 57165 40e83c 57163->57165 57167 40e961 57164->57167 57168 40e8e5 57164->57168 57169 40e946 57164->57169 57170 40e9c6 57164->57170 57171 40e888 57164->57171 57172 40e929 57164->57172 57173 40e90b 57164->57173 57203 40e8ac 57164->57203 57206 40e8b9 57164->57206 57219 40d890 19 API calls 57165->57219 57178 40dbb4 19 API calls 57167->57178 57227 40e274 19 API calls 57168->57227 57232 40ece0 19 API calls 57169->57232 57175 40dbb4 19 API calls 57170->57175 57220 40dbb4 57171->57220 57230 40edf8 19 API calls 57172->57230 57229 40e234 19 API calls 57173->57229 57185 40e9ce 57175->57185 57187 40e969 57178->57187 57180 403400 4 API calls 57188 40ea3b 57180->57188 57183 40e934 57231 40a188 18 API calls 57183->57231 57184 40e8f0 57228 40d8c0 19 API calls 57184->57228 57191 40e9d2 57185->57191 57192 40e9eb 57185->57192 57195 40e973 57187->57195 57196 40e96d 57187->57196 57188->57138 57198 40ee58 19 API calls 57191->57198 57239 40e274 19 API calls 57192->57239 57193 40e8b1 57225 40e328 19 API calls 57193->57225 57194 40e894 57223 40e274 19 API calls 57194->57223 57233 40ee58 57195->57233 57204 40ee58 19 API calls 57196->57204 57212 40e971 57196->57212 57198->57203 57202 40e89f 57224 40e6bc 19 API calls 57202->57224 57203->57180 57208 40e994 57204->57208 57206->57203 57226 40dc68 19 API calls 57206->57226 57236 40dcf0 19 API calls 57208->57236 57209 40e9b6 57238 40e724 18 API calls 57209->57238 57212->57203 57237 40e274 19 API calls 57212->57237 57245 40be20 57213->57245 57216->57131 57217->57131 57218 40dbc4 19 API calls 57218->57138 57219->57164 57221 40ee58 19 API calls 57220->57221 57222 40dbbe 57221->57222 57222->57193 57222->57194 57223->57202 57224->57203 57225->57206 57226->57203 57227->57184 57228->57203 57229->57203 57230->57183 57231->57203 57232->57203 57240 40dbd0 57233->57240 57236->57212 57237->57209 57238->57203 57239->57203 57242 40dbdb 57240->57242 57241 40dc15 57241->57203 57242->57241 57244 40dc1c 19 API calls 57242->57244 57244->57242 57246 40be32 57245->57246 57248 40be57 57245->57248 57246->57248 57249 40bed4 LocalAlloc TlsSetValue TlsGetValue TlsGetValue 57246->57249 57248->57138 57248->57218 57249->57248 57251 40ee58 19 API calls 57250->57251 57252 40d919 57251->57252 57253 40d92c 57252->57253 57257 40ef5c 19 API calls 57252->57257 57253->57121 57255 40d927 57258 40d8a8 19 API calls 57255->57258 57257->57255 57258->57253 57263 40afcc 33 API calls 57259->57263 57261 40de50 57261->57158 57262->57158 57263->57261 57264 47dbe8 57265 47dc12 57264->57265 57266 47dbf1 57264->57266 57267 42c84c 19 API calls 57265->57267 57268 42c84c 19 API calls 57266->57268 57270 47dc1f 57267->57270 57269 47dbfe 57268->57269 57271 4035c0 18 API calls 57269->57271 57272 4035c0 18 API calls 57270->57272 57273 47dc10 57271->57273 57272->57273 57274 47d8e4 22 API calls 57273->57274 57275 47dc36 57274->57275 57276 403400 4 API calls 57275->57276 57277 47dc4b 57276->57277 57278 48f6bc 57279 48f70d 57278->57279 57280 48f739 57279->57280 57281 48f70f 57279->57281 57284 48f748 57280->57284 57285 48f772 57280->57285 57282 447498 32 API calls 57281->57282 57283 48f71c 57282->57283 57286 4534e4 5 API calls 57283->57286 57287 447498 32 API calls 57284->57287 57292 48f7ab 57285->57292 57293 48f781 57285->57293 57288 48f729 57286->57288 57289 48f755 57287->57289 57290 447570 19 API calls 57288->57290 57291 4530c4 25 API calls 57289->57291 57724 48f734 57290->57724 57294 48f762 57291->57294 57300 48f7ba 57292->57300 57301 48f81f 57292->57301 57295 447498 32 API calls 57293->57295 57296 447570 19 API calls 57294->57296 57298 48f78e 57295->57298 57296->57724 57297 403420 4 API calls 57302 490d11 57297->57302 57299 453134 25 API calls 57298->57299 57303 48f79b 57299->57303 57304 447498 32 API calls 57300->57304 57309 48f82e 57301->57309 57310 48f8a4 57301->57310 57305 403420 4 API calls 57302->57305 57306 447570 19 API calls 57303->57306 57307 48f7c9 57304->57307 57308 490d1e 57305->57308 57306->57724 57311 447498 32 API calls 57307->57311 57312 403400 4 API calls 57308->57312 57314 44743c 32 API calls 57309->57314 57319 48f90f 57310->57319 57320 48f8b3 57310->57320 57315 48f7e0 57311->57315 57313 490d26 57312->57313 57316 48f83a 57314->57316 57317 447498 32 API calls 57315->57317 57318 44743c 32 API calls 57316->57318 57321 48f7f3 57317->57321 57322 48f847 57318->57322 57329 48f96b 57319->57329 57330 48f91e 57319->57330 57323 447498 32 API calls 57320->57323 57324 447498 32 API calls 57321->57324 57325 447498 32 API calls 57322->57325 57326 48f8c2 57323->57326 57327 48f804 57324->57327 57331 48f857 57325->57331 57332 447498 32 API calls 57326->57332 57949 42d1e4 20 API calls 57327->57949 57343 48f97a 57329->57343 57344 48f9b3 57329->57344 57334 447498 32 API calls 57330->57334 57335 447498 32 API calls 57331->57335 57336 48f8d5 57332->57336 57333 48f80e 57338 4477ec 19 API calls 57333->57338 57339 48f92d 57334->57339 57340 48f86a 57335->57340 57337 447498 32 API calls 57336->57337 57342 48f8e6 57337->57342 57338->57724 57345 447498 32 API calls 57339->57345 57341 447498 32 API calls 57340->57341 57346 48f87b 57341->57346 57952 4473f0 57342->57952 57348 447498 32 API calls 57343->57348 57357 48fa22 57344->57357 57358 48f9c2 57344->57358 57349 48f940 57345->57349 57351 44743c 32 API calls 57346->57351 57353 48f989 57348->57353 57350 447498 32 API calls 57349->57350 57354 48f951 57350->57354 57355 48f88b 57351->57355 57359 447498 32 API calls 57353->57359 57957 42d42c GetPrivateProfileStringA GetProfileStringA lstrcmp 57354->57957 57950 42d2e8 20 API calls 57355->57950 57371 48fa8d 57357->57371 57372 48fa31 57357->57372 57363 447498 32 API calls 57358->57363 57364 48f99a 57359->57364 57362 48f8ff 57367 447570 19 API calls 57362->57367 57368 48f9d1 57363->57368 57958 42d478 GetPrivateProfileStringA GetProfileStringA 57364->57958 57365 48f95b 57370 447570 19 API calls 57365->57370 57366 48f894 57951 447718 19 API calls 57366->57951 57367->57724 57374 447498 32 API calls 57368->57374 57370->57724 57381 48faf8 57371->57381 57382 48fa9c 57371->57382 57377 447498 32 API calls 57372->57377 57378 48f9e4 57374->57378 57375 48f9a3 57376 447570 19 API calls 57375->57376 57376->57724 57379 48fa40 57377->57379 57380 447498 32 API calls 57378->57380 57383 447498 32 API calls 57379->57383 57384 48f9f7 57380->57384 57391 48fb46 57381->57391 57392 48fb07 57381->57392 57385 447498 32 API calls 57382->57385 57386 48fa53 57383->57386 57387 447498 32 API calls 57384->57387 57388 48faab 57385->57388 57389 447498 32 API calls 57386->57389 57390 48fa08 57387->57390 57393 447498 32 API calls 57388->57393 57394 48fa64 57389->57394 57959 42d4e8 WritePrivateProfileStringA WriteProfileStringA 57390->57959 57404 48fb80 57391->57404 57405 48fb55 57391->57405 57396 447498 32 API calls 57392->57396 57397 48fabe 57393->57397 57398 44743c 32 API calls 57394->57398 57401 48fb16 57396->57401 57402 447498 32 API calls 57397->57402 57403 48fa74 57398->57403 57399 48fa12 57400 447570 19 API calls 57399->57400 57400->57724 57406 447498 32 API calls 57401->57406 57407 48facf 57402->57407 57960 42d558 35 API calls 57403->57960 57418 48fbb8 57404->57418 57419 48fb8f 57404->57419 57409 447498 32 API calls 57405->57409 57410 48fb27 57406->57410 57411 4473f0 32 API calls 57407->57411 57414 48fb62 57409->57414 57415 447498 32 API calls 57410->57415 57416 48fadf 57411->57416 57412 48fa7d 57413 447570 19 API calls 57412->57413 57413->57724 57417 447498 32 API calls 57414->57417 57420 48fb37 57415->57420 57961 42d5b8 35 API calls 57416->57961 57422 48fb72 57417->57422 57429 48fbe0 57418->57429 57430 48fbc7 57418->57430 57423 447498 32 API calls 57419->57423 57962 42d5d0 WritePrivateProfileStringA WriteProfileStringA 57420->57962 57963 42d61c WritePrivateProfileStringA WriteProfileStringA 57422->57963 57428 48fb9c 57423->57428 57425 48fae8 57426 447570 19 API calls 57425->57426 57426->57724 57431 42d658 19 API calls 57428->57431 57437 48fbef 57429->57437 57438 48fc04 57429->57438 57432 42d77c 19 API calls 57430->57432 57433 48fba7 57431->57433 57435 48fbcf 57432->57435 57434 4477ec 19 API calls 57433->57434 57434->57724 57436 4477ec 19 API calls 57435->57436 57436->57724 57439 42d840 19 API calls 57437->57439 57442 48fc13 57438->57442 57443 48fc36 57438->57443 57440 48fbf4 57439->57440 57964 447718 19 API calls 57440->57964 57444 44743c 32 API calls 57442->57444 57447 48fc6e 57443->57447 57448 48fc45 57443->57448 57445 48fc1d 57444->57445 57446 42d89c 20 API calls 57445->57446 57450 48fc25 57446->57450 57454 48fc7d 57447->57454 57455 48fca6 57447->57455 57449 447498 32 API calls 57448->57449 57451 48fc52 57449->57451 57452 4477ec 19 API calls 57450->57452 57453 42c84c 19 API calls 57451->57453 57452->57724 57456 48fc5d 57453->57456 57457 447498 32 API calls 57454->57457 57460 48fcde 57455->57460 57461 48fcb5 57455->57461 57458 4477ec 19 API calls 57456->57458 57459 48fc8a 57457->57459 57458->57724 57965 42cfb8 19 API calls 57459->57965 57468 48fced 57460->57468 57469 48fd16 57460->57469 57463 447498 32 API calls 57461->57463 57465 48fcc2 57463->57465 57464 48fc95 57466 4477ec 19 API calls 57464->57466 57467 42d010 20 API calls 57465->57467 57466->57724 57470 48fccd 57467->57470 57471 447498 32 API calls 57468->57471 57475 48fd4e 57469->57475 57476 48fd25 57469->57476 57472 4477ec 19 API calls 57470->57472 57473 48fcfa 57471->57473 57472->57724 57966 42d938 20 API calls 57473->57966 57481 48fd8b 57475->57481 57482 48fd5d 57475->57482 57478 447498 32 API calls 57476->57478 57477 48fd05 57479 4477ec 19 API calls 57477->57479 57480 48fd32 57478->57480 57479->57724 57967 42d990 19 API calls 57480->57967 57489 48fd9a 57481->57489 57490 48fdb3 57481->57490 57484 447498 32 API calls 57482->57484 57486 48fd6a 57484->57486 57485 48fd3d 57487 4477ec 19 API calls 57485->57487 57968 45329c 22 API calls 57486->57968 57487->57724 57492 42dce8 19 API calls 57489->57492 57495 48fddb 57490->57495 57496 48fdc2 57490->57496 57491 48fd7a 57494 48fda2 57492->57494 57497 4477ec 19 API calls 57494->57497 57501 48fdea 57495->57501 57502 48fe03 57495->57502 57498 42dd14 19 API calls 57496->57498 57497->57724 57499 48fdca 57498->57499 57503 42dd40 6 API calls 57501->57503 57505 48fe30 57502->57505 57506 48fe12 57502->57506 57724->57297 57949->57333 57950->57366 57951->57724 57953 4473f5 57952->57953 57993 435ee0 57953->57993 57956 42d37c 20 API calls 57956->57362 57957->57365 57958->57375 57959->57399 57960->57412 57961->57425 57962->57724 57963->57724 57964->57724 57965->57464 57966->57477 57967->57485 57968->57491 57994 435f20 57993->57994 57995 435efe 57993->57995 57996 43600a 57994->57996 57999 435fb0 57994->57999 58011 435f77 57994->58011 57995->57994 58012 40905c 18 API calls 57995->58012 58017 40905c 18 API calls 57996->58017 58001 435fff 57999->58001 58002 435fbe 57999->58002 58000 403400 4 API calls 58003 436035 58000->58003 58016 403f90 32 API calls 58001->58016 58013 40483c 32 API calls 58002->58013 58003->57956 58006 435fc8 58007 435fd3 58006->58007 58008 435fe7 58006->58008 58014 40483c 32 API calls 58007->58014 58015 40905c 18 API calls 58008->58015 58011->58000 58012->57994 58013->58006 58014->58011 58015->58011 58016->58011 58017->58011 58018 422734 58019 422743 58018->58019 58024 4216c4 58019->58024 58022 422763 58025 421733 58024->58025 58038 4216d3 58024->58038 58028 421744 58025->58028 58049 412920 GetMenuItemCount GetMenuStringA GetMenuState 58025->58049 58027 421772 58030 4217e5 58027->58030 58035 42178d 58027->58035 58028->58027 58029 42180a 58028->58029 58033 42181e SetMenu 58029->58033 58046 4217e3 58029->58046 58037 4217f9 58030->58037 58030->58046 58031 421836 58052 42160c 24 API calls 58031->58052 58033->58046 58041 4217b0 GetMenu 58035->58041 58035->58046 58036 42183d 58036->58022 58047 422638 10 API calls 58036->58047 58040 421802 SetMenu 58037->58040 58038->58025 58048 40917c 33 API calls 58038->58048 58040->58046 58042 4217ba 58041->58042 58043 4217d3 58041->58043 58045 4217cd SetMenu 58042->58045 58050 412920 GetMenuItemCount GetMenuStringA GetMenuState 58043->58050 58045->58043 58046->58031 58051 42227c 25 API calls 58046->58051 58047->58022 58048->58038 58049->58028 58050->58046 58051->58031 58052->58036 58053 42e83f SetErrorMode 58054 494cf4 58055 494d3c 58054->58055 58056 494d3e 58055->58056 58057 494d57 58055->58057 58304 424690 GetLastActivePopup IsWindowVisible IsWindowEnabled SetForegroundWindow 58056->58304 58060 494da6 58057->58060 58061 494d66 58057->58061 58059 494d48 58062 42462c 11 API calls 58059->58062 58066 494df5 58060->58066 58067 494db5 58060->58067 58063 494d77 58061->58063 58305 48e164 33 API calls 58061->58305 58199 494d52 58062->58199 58306 48e330 18 API calls 58063->58306 58080 494e35 58066->58080 58081 494e04 58066->58081 58071 494dc6 58067->58071 58307 48e164 33 API calls 58067->58307 58068 494d7c 58072 414f38 18 API calls 58068->58072 58069 403420 4 API calls 58070 49556c 58069->58070 58073 403400 4 API calls 58070->58073 58308 48e330 18 API calls 58071->58308 58076 494d8a 58072->58076 58077 495574 58073->58077 58079 42d010 20 API calls 58076->58079 58083 403400 4 API calls 58077->58083 58078 494dcb 58084 414f38 18 API calls 58078->58084 58085 494d95 58079->58085 58094 494ea4 58080->58094 58095 494e44 58080->58095 58082 494e15 58081->58082 58309 48e164 33 API calls 58081->58309 58310 48e330 18 API calls 58082->58310 58088 49557c 58083->58088 58089 494dd9 58084->58089 58090 4477ec 19 API calls 58085->58090 58092 403400 4 API calls 58088->58092 58093 42d010 20 API calls 58089->58093 58090->58199 58091 494e1a 58105 447570 19 API calls 58091->58105 58096 495584 58092->58096 58097 494de4 58093->58097 58103 494f30 58094->58103 58104 494eb3 58094->58104 58098 494e55 58095->58098 58311 48e164 33 API calls 58095->58311 58100 4477ec 19 API calls 58097->58100 58312 48e330 18 API calls 58098->58312 58100->58199 58102 494e5a 58106 46a4ec SendMessageA 58102->58106 58112 494f3f 58103->58112 58113 494fbe 58103->58113 58107 494ec4 58104->58107 58313 48e164 33 API calls 58104->58313 58105->58199 58108 494e5f 58106->58108 58115 4473f0 32 API calls 58107->58115 58110 494e65 58108->58110 58111 494e94 58108->58111 58114 4473f0 32 API calls 58110->58114 58117 4477ec 19 API calls 58111->58117 58116 494f50 58112->58116 58315 48e164 33 API calls 58112->58315 58124 494fcd 58113->58124 58125 494ff6 58113->58125 58118 494e6f 58114->58118 58119 494eed 58115->58119 58129 4473f0 32 API calls 58116->58129 58117->58199 58121 494e73 58118->58121 58122 494e84 58118->58122 58314 48e330 18 API calls 58119->58314 58126 4477ec 19 API calls 58121->58126 58127 4477ec 19 API calls 58122->58127 58130 494fde 58124->58130 58318 48e164 33 API calls 58124->58318 58136 495019 58125->58136 58137 495005 58125->58137 58126->58199 58127->58199 58128 494ef3 58132 46a7e0 57 API calls 58128->58132 58133 494f7b 58129->58133 58131 447570 19 API calls 58130->58131 58131->58199 58138 494efc 58132->58138 58316 48e330 18 API calls 58133->58316 58146 495028 58136->58146 58147 49504d 58136->58147 58140 447570 19 API calls 58137->58140 58141 4318a4 18 API calls 58138->58141 58139 494f81 58317 46a928 57 API calls 58139->58317 58140->58199 58142 494f07 58141->58142 58144 4477ec 19 API calls 58142->58144 58148 494f13 58144->58148 58145 494f8a 58149 4318a4 18 API calls 58145->58149 58150 495039 58146->58150 58319 48e0d0 33 API calls 58146->58319 58154 495099 58147->58154 58155 49505c 58147->58155 58152 494f95 58149->58152 58151 447570 19 API calls 58150->58151 58151->58199 58156 4477ec 19 API calls 58152->58156 58162 4950a8 58154->58162 58163 4950e5 58154->58163 58157 49506d 58155->58157 58320 48e164 33 API calls 58155->58320 58158 494fa1 58156->58158 58160 49508a 58157->58160 58161 495076 58157->58161 58321 453aac 18 API calls 58160->58321 58164 4477ec 19 API calls 58161->58164 58166 4950b9 58162->58166 58322 48e164 33 API calls 58162->58322 58172 495119 58163->58172 58173 4950f4 58163->58173 58164->58199 58168 4950c2 58166->58168 58169 4950d6 58166->58169 58170 4477ec 19 API calls 58168->58170 58323 453aac 18 API calls 58169->58323 58170->58199 58176 495128 58172->58176 58177 49514d 58172->58177 58174 447498 32 API calls 58173->58174 58175 495101 58174->58175 58324 447718 19 API calls 58175->58324 58178 44743c 32 API calls 58176->58178 58181 49515c 58177->58181 58182 495166 58177->58182 58180 495132 58178->58180 58183 40352c 18 API calls 58180->58183 58325 409030 19 API calls 58181->58325 58187 495190 58182->58187 58188 495175 58182->58188 58185 49513c 58183->58185 58186 4477ec 19 API calls 58185->58186 58186->58199 58191 49519f 58187->58191 58192 4951c4 58187->58192 58326 494758 18 API calls 58188->58326 58190 49517e 58193 4477ec 19 API calls 58190->58193 58194 447498 32 API calls 58191->58194 58197 4951fa 58192->58197 58198 4951d3 58192->58198 58193->58199 58195 4951ab 58194->58195 58327 40905c 18 API calls 58195->58327 58202 495209 58197->58202 58203 49521f 58197->58203 58328 494758 18 API calls 58198->58328 58199->58069 58201 4951dc 58329 42eafc 19 API calls 58201->58329 58205 447570 19 API calls 58202->58205 58208 4952ce 58203->58208 58209 495232 58203->58209 58205->58199 58206 4951e8 58330 4837b0 58 API calls 58206->58330 58214 4952dd 58208->58214 58215 495324 58208->58215 58210 49523b 58209->58210 58211 49527e 58209->58211 58213 447498 32 API calls 58210->58213 58212 447498 32 API calls 58211->58212 58216 495291 58212->58216 58217 49524e 58213->58217 58218 447498 32 API calls 58214->58218 58224 495379 58215->58224 58225 495333 58215->58225 58219 447498 32 API calls 58216->58219 58220 447498 32 API calls 58217->58220 58222 4952ec 58218->58222 58223 4952a2 58219->58223 58221 49525f 58220->58221 58331 494820 38 API calls 58221->58331 58227 447498 32 API calls 58222->58227 58228 47d578 57 API calls 58223->58228 58240 4953c6 58224->58240 58246 495388 58224->58246 58229 48e2a8 32 API calls 58225->58229 58231 4952ff 58227->58231 58232 4952b3 58228->58232 58233 495342 58229->58233 58230 49526d 58235 44743c 32 API calls 58231->58235 58237 447498 32 API calls 58233->58237 58238 49530d 58235->58238 58241 49534f 58237->58241 58249 49541e 58240->58249 58250 4953d5 58240->58250 58334 494954 40 API calls 58241->58334 58253 447498 32 API calls 58246->58253 58259 49547d 58249->58259 58268 49542d 58249->58268 58252 48e2a8 32 API calls 58250->58252 58255 4953e4 58252->58255 58257 4953ab 58253->58257 58256 447498 32 API calls 58255->58256 58336 4949f8 40 API calls 58257->58336 58266 4954d9 58259->58266 58267 49548c 58259->58267 58263 4953b6 58274 4954e8 58266->58274 58279 49552d 58266->58279 58277 447498 32 API calls 58267->58277 58270 447498 32 API calls 58268->58270 58272 495452 58270->58272 58279->58199 58304->58059 58305->58063 58306->58068 58307->58071 58308->58078 58309->58082 58310->58091 58311->58098 58312->58102 58313->58107 58314->58128 58315->58116 58316->58139 58317->58145 58318->58130 58319->58150 58320->58157 58321->58199 58322->58166 58323->58199 58324->58199 58326->58190 58327->58199 58328->58201 58329->58206 58330->58199 58331->58230 58336->58263 58342 416a3c DestroyWindow

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 0048F6BC Relevance: 138.4, APIs: 22, Strings: 56, Instructions: 1878COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: ADDBACKSLASH$ADDPERIOD$ADDQUOTES$CHARLENGTH$CONVERTPERCENTSTR$DELETEINIENTRY$DELETEINISECTION$DIREXISTS$FILECOPY$FILEEXISTS$FILEORDIREXISTS$FONTEXISTS$GETCMDTAIL$GETENV$GETINIBOOL$GETINIINT$GETINISTRING$GETSHORTNAME$GETSYSNATIVEDIR$GETSYSTEMDIR$GETSYSWOW64DIR$GETTEMPDIR$GETUILANGUAGE$GETWINDIR$INIKEYEXISTS$ISADMINLOGGEDON$ISINISECTIONEMPTY$ISPOWERUSERLOGGEDON$PARAMCOUNT$PARAMSTR$REGDELETEKEYIFEMPTY$REGDELETEKEYINCLUDINGSUBKEYS$REGDELETEVALUE$REGGETSUBKEYNAMES$REGGETVALUENAMES$REGKEYEXISTS$REGQUERYBINARYVALUE$REGQUERYDWORDVALUE$REGQUERYMULTISTRINGVALUE$REGQUERYSTRINGVALUE$REGVALUEEXISTS$REGWRITEBINARYVALUE$REGWRITEDWORDVALUE$REGWRITEEXPANDSTRINGVALUE$REGWRITEMULTISTRINGVALUE$REGWRITESTRINGVALUE$REMOVEBACKSLASH$REMOVEBACKSLASHUNLESSROOT$REMOVEQUOTES$SETINIBOOL$SETINIINT$SETINISTRING$SETNTFSCOMPRESSION$STRINGCHANGE$STRINGCHANGEEX$USINGWINNT
                                                                                                                                                                                                            • API String ID: 0-4234653879
                                                                                                                                                                                                            • Opcode ID: 41ece08bbbf6a323990f1ecb777884a85c897b4230cd9a3a9200b5780cb9fc64
                                                                                                                                                                                                            • Instruction ID: 5ab6688b1d8de169e7eae929f0fe5b5c72d30124bbb070add725f290c9b618ac
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 41ece08bbbf6a323990f1ecb777884a85c897b4230cd9a3a9200b5780cb9fc64
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BAD25370B041455BDB04EBB9C8819AEBBA5AF58704F50893FB406AB346DF3CED068799
                                                                                                                                                                                                            Function 00471688 Relevance: 78.0, APIs: 4, Strings: 40, Instructions: 961COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • .tmp, xrefs: 00471F97
                                                                                                                                                                                                            • Existing file's SHA-1 hash matches our file. Skipping., xrefs: 00471C95
                                                                                                                                                                                                            • Non-default bitness: 64-bit, xrefs: 0047188F
                                                                                                                                                                                                            • Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 00471CB0
                                                                                                                                                                                                            • Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 00471CA4
                                                                                                                                                                                                            • User opted not to overwrite the existing file. Skipping., xrefs: 00471E2D
                                                                                                                                                                                                            • Skipping due to "onlyifdoesntexist" flag., xrefs: 004719AE
                                                                                                                                                                                                            • Time stamp of existing file: %s, xrefs: 00471A0B
                                                                                                                                                                                                            • Same version. Skipping., xrefs: 00471CC5
                                                                                                                                                                                                            • Version of existing file: (none), xrefs: 00471CDA
                                                                                                                                                                                                            • Time stamp of existing file: (failed to read), xrefs: 00471A17
                                                                                                                                                                                                            • Version of existing file: %u.%u.%u.%u, xrefs: 00471B5C
                                                                                                                                                                                                            • Will register the file (a type library) later., xrefs: 00472502
                                                                                                                                                                                                            • Stripped read-only attribute., xrefs: 00471EA7
                                                                                                                                                                                                            • Installing into GAC, xrefs: 004726FA
                                                                                                                                                                                                            • Version of our file: (none), xrefs: 00471ADC
                                                                                                                                                                                                            • Incrementing shared file count (64-bit)., xrefs: 0047257B
                                                                                                                                                                                                            • InUn, xrefs: 0047213F
                                                                                                                                                                                                            • Dest filename: %s, xrefs: 00471874
                                                                                                                                                                                                            • Time stamp of our file: (failed to read), xrefs: 00471987
                                                                                                                                                                                                            • Uninstaller requires administrator: %s, xrefs: 0047216F
                                                                                                                                                                                                            • Couldn't read time stamp. Skipping., xrefs: 00471D15
                                                                                                                                                                                                            • -- File entry --, xrefs: 004716DB
                                                                                                                                                                                                            • I, xrefs: 00471688
                                                                                                                                                                                                            • Non-default bitness: 32-bit, xrefs: 0047189B
                                                                                                                                                                                                            • , xrefs: 00471BAF, 00471D80, 00471DFE
                                                                                                                                                                                                            • Version of our file: %u.%u.%u.%u, xrefs: 00471AD0
                                                                                                                                                                                                            • Existing file is a newer version. Skipping., xrefs: 00471BE2
                                                                                                                                                                                                            • Dest file is protected by Windows File Protection., xrefs: 004718CD
                                                                                                                                                                                                            • User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 00471E76
                                                                                                                                                                                                            • Time stamp of our file: %s, xrefs: 0047197B
                                                                                                                                                                                                            • Dest file exists., xrefs: 0047199B
                                                                                                                                                                                                            • Skipping due to "onlyifdestfileexists" flag., xrefs: 00471EDA
                                                                                                                                                                                                            • Same time stamp. Skipping., xrefs: 00471D35
                                                                                                                                                                                                            • Incrementing shared file count (32-bit)., xrefs: 00472594
                                                                                                                                                                                                            • Installing the file., xrefs: 00471EE9
                                                                                                                                                                                                            • Will register the file (a DLL/OCX) later., xrefs: 0047250E
                                                                                                                                                                                                            • Failed to strip read-only attribute., xrefs: 00471EB3
                                                                                                                                                                                                            • Existing file has a later time stamp. Skipping., xrefs: 00471DAF
                                                                                                                                                                                                            • Existing file is protected by Windows File Protection. Skipping., xrefs: 00471DCC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: $-- File entry --$.tmp$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.$I
                                                                                                                                                                                                            • API String ID: 0-4118084788
                                                                                                                                                                                                            • Opcode ID: c45ef2569825c2cc80ee30367728a5172857cecb85d7291e990cb0d481d6bfed
                                                                                                                                                                                                            • Instruction ID: 6bf2baeb3a70bced245c17dd6e1df6b1677c078c0e18323f60fd28fe4f0ee562
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c45ef2569825c2cc80ee30367728a5172857cecb85d7291e990cb0d481d6bfed
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73927134A042889FDB11DFA9C585BDDBBF4AF05304F1480ABE848BB392D7789E45DB19
                                                                                                                                                                                                            Function 0042E4EC Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178memorylibraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 2766 42e4ec-42e4fd 2767 42e508-42e52d AllocateAndInitializeSid 2766->2767 2768 42e4ff-42e503 2766->2768 2769 42e6d7-42e6df 2767->2769 2770 42e533-42e550 GetVersion 2767->2770 2768->2769 2771 42e552-42e567 GetModuleHandleA GetProcAddress 2770->2771 2772 42e569-42e56b 2770->2772 2771->2772 2773 42e592-42e5ac GetCurrentThread OpenThreadToken 2772->2773 2774 42e56d-42e57b CheckTokenMembership 2772->2774 2777 42e5e3-42e60b GetTokenInformation 2773->2777 2778 42e5ae-42e5b8 GetLastError 2773->2778 2775 42e581-42e58d 2774->2775 2776 42e6b9-42e6cf FreeSid 2774->2776 2775->2776 2781 42e626-42e64a call 402648 GetTokenInformation 2777->2781 2782 42e60d-42e615 GetLastError 2777->2782 2779 42e5c4-42e5d7 GetCurrentProcess OpenProcessToken 2778->2779 2780 42e5ba-42e5bf call 4031bc 2778->2780 2779->2777 2785 42e5d9-42e5de call 4031bc 2779->2785 2780->2769 2792 42e658-42e660 2781->2792 2793 42e64c-42e656 call 4031bc * 2 2781->2793 2782->2781 2786 42e617-42e621 call 4031bc * 2 2782->2786 2785->2769 2786->2769 2797 42e662-42e663 2792->2797 2798 42e693-42e6b1 call 402660 CloseHandle 2792->2798 2793->2769 2802 42e665-42e678 EqualSid 2797->2802 2805 42e67a-42e687 2802->2805 2806 42e68f-42e691 2802->2806 2805->2806 2807 42e689-42e68d 2805->2807 2806->2798 2806->2802 2807->2798
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E526
                                                                                                                                                                                                            • GetVersion.KERNEL32(00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E543
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E55C
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E562
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E6D0,?,0049B788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E577
                                                                                                                                                                                                            • FreeSid.ADVAPI32(00000000,0042E6D7,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E6CA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
                                                                                                                                                                                                            • String ID: CheckTokenMembership$advapi32.dll
                                                                                                                                                                                                            • API String ID: 2252812187-1888249752
                                                                                                                                                                                                            • Opcode ID: bec140b171ea519891e8f75e6984b41f13cc792e2a5660a755a4f82e4b8777e7
                                                                                                                                                                                                            • Instruction ID: 33373ee259e646c263c3edb0d375fd355344fbe6f0fea3053a31bb261822ccd7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bec140b171ea519891e8f75e6984b41f13cc792e2a5660a755a4f82e4b8777e7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 33518371B44619AEDB10EAE69842B7F77ACDB19304FD4047BB500F72C2D57CD904876A
                                                                                                                                                                                                            Function 00450994 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 76libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 2809 450994-4509b9 2810 450a8c-450ab0 call 403420 2809->2810 2811 4509bf-4509cc GetVersion 2809->2811 2811->2810 2813 4509d2-450a0c call 450964 call 42c84c call 40357c call 403738 LoadLibraryA 2811->2813 2813->2810 2823 450a0e-450a87 GetProcAddress * 6 2813->2823 2823->2810
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersion.KERNEL32(00000000,00450AB1,?,?,?,?,00000000,00000000), ref: 004509BF
                                                                                                                                                                                                              • Part of subcall function 00450964: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0045097C
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00450AB1,?,?,?,?,00000000,00000000), ref: 004509FB
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,RmStartSession), ref: 00450A19
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,RmRegisterResources), ref: 00450A2E
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,RmGetList), ref: 00450A43
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,RmShutdown), ref: 00450A58
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,RmRestart), ref: 00450A6D
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,RmEndSession), ref: 00450A82
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$DirectoryLibraryLoadSystemVersion
                                                                                                                                                                                                            • String ID: RmEndSession$RmGetList$RmRegisterResources$RmRestart$RmShutdown$RmStartSession$Rstrtmgr.dll
                                                                                                                                                                                                            • API String ID: 2754715182-3419246398
                                                                                                                                                                                                            • Opcode ID: d8d5ff48d6aa38830af6a9e8a73036221bb65f2481768552fb853932befe92ab
                                                                                                                                                                                                            • Instruction ID: 7e76809d132c55fa29070b713de61cc7a3e08993567f6b48a797f9432d6667d5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8d5ff48d6aa38830af6a9e8a73036221bb65f2481768552fb853932befe92ab
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 58212AB4A00304AEE710FBA5EC86A6E77F8E764755F50053BB810A71A3D6789D49CB1C
                                                                                                                                                                                                            Function 0042405C Relevance: 21.4, APIs: 14, Instructions: 395COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 3025 42405c-424090 3026 424092-424093 3025->3026 3027 4240c4-4240db call 423fb8 3025->3027 3028 424095-4240b1 call 40b69c 3026->3028 3032 42413c-424141 3027->3032 3033 4240dd 3027->3033 3061 4240b3-4240bb 3028->3061 3062 4240c0-4240c2 3028->3062 3037 424143 3032->3037 3038 424177-42417c 3032->3038 3035 4240e3-4240e6 3033->3035 3036 4241a0-4241b0 3033->3036 3039 424115-424118 3035->3039 3040 4240e8 3035->3040 3043 4241b2-4241b7 3036->3043 3044 4241bb-4241c3 call 4245e4 3036->3044 3046 424401-424409 3037->3046 3047 424149-424151 3037->3047 3041 424182-424185 3038->3041 3042 4244ea-4244f8 IsIconic 3038->3042 3056 4241f9-424200 3039->3056 3057 42411e-42411f 3039->3057 3052 424246-424256 call 423fd4 3040->3052 3053 4240ee-4240f1 3040->3053 3054 424526-42453b call 424ca0 3041->3054 3055 42418b-42418c 3041->3055 3048 4245a2-4245aa 3042->3048 3049 4244fe-424509 GetFocus 3042->3049 3059 4241c8-4241d0 call 42462c 3043->3059 3060 4241b9-4241dc call 423fd4 3043->3060 3044->3048 3046->3048 3058 42440f-42441a call 418630 3046->3058 3050 424363-42438a SendMessageA 3047->3050 3051 424157-42415c 3047->3051 3075 4245c1-4245c7 3048->3075 3049->3048 3065 42450f-424518 call 41f444 3049->3065 3050->3048 3073 424162-424163 3051->3073 3074 42449a-4244a5 3051->3074 3052->3048 3066 4240f7-4240fa 3053->3066 3067 42426e-42428a PostMessageA call 423fd4 3053->3067 3054->3048 3077 424192-424195 3055->3077 3078 42453d-424544 3055->3078 3056->3048 3069 424206-42420d 3056->3069 3070 424125-424128 3057->3070 3071 42438f-424396 3057->3071 3058->3048 3110 424420-42442f call 418630 IsWindowEnabled 3058->3110 3059->3048 3060->3048 3061->3075 3062->3027 3062->3028 3065->3048 3123 42451e-424524 SetFocus 3065->3123 3084 424100-424103 3066->3084 3085 4242f5-4242fc 3066->3085 3067->3048 3069->3048 3089 424213-424219 3069->3089 3090 42412e-424131 3070->3090 3091 42428f-4242af call 423fd4 3070->3091 3071->3048 3100 42439c-4243a1 call 404e54 3071->3100 3093 4244c2-4244cd 3073->3093 3094 424169-42416c 3073->3094 3074->3048 3096 4244ab-4244bd 3074->3096 3097 424570-424577 3077->3097 3098 42419b 3077->3098 3087 424546-424559 call 424924 3078->3087 3088 42455b-42456e call 42497c 3078->3088 3103 424109-42410a 3084->3103 3104 42421e-42422c IsIconic 3084->3104 3105 4242fe-424311 call 423f64 3085->3105 3106 42432f-424340 call 423fd4 3085->3106 3087->3048 3088->3048 3089->3048 3108 424137 3090->3108 3109 42425b-424269 call 4245c8 3090->3109 3139 4242d3-4242f0 call 423ed4 PostMessageA 3091->3139 3140 4242b1-4242ce call 423f64 PostMessageA 3091->3140 3093->3048 3117 4244d3-4244e5 3093->3117 3114 424172 3094->3114 3115 4243a6-4243ae 3094->3115 3096->3048 3112 42458a-424599 3097->3112 3113 424579-424588 3097->3113 3116 42459b-42459c call 423fd4 3098->3116 3100->3048 3124 424110 3103->3124 3125 4241e1-4241e9 3103->3125 3131 42423a-424241 call 423fd4 3104->3131 3132 42422e-424235 call 424010 3104->3132 3154 424323-42432a call 423fd4 3105->3154 3155 424313-42431d call 41f3a8 3105->3155 3159 424342-424348 call 41f2f4 3106->3159 3160 424356-42435e call 423ed4 3106->3160 3108->3116 3109->3048 3110->3048 3156 424435-424444 call 418630 IsWindowVisible 3110->3156 3112->3048 3113->3048 3114->3116 3115->3048 3121 4243b4-4243bb 3115->3121 3147 4245a1 3116->3147 3117->3048 3121->3048 3138 4243c1-4243d0 call 418630 IsWindowEnabled 3121->3138 3123->3048 3124->3116 3125->3048 3141 4241ef-4241f4 call 42309c 3125->3141 3131->3048 3132->3048 3138->3048 3170 4243d6-4243ec call 412760 3138->3170 3139->3048 3140->3048 3141->3048 3147->3048 3154->3048 3155->3154 3156->3048 3177 42444a-424495 GetFocus call 418630 SetFocus call 415690 SetFocus 3156->3177 3174 42434d-424350 3159->3174 3160->3048 3170->3048 3180 4243f2-4243fc 3170->3180 3174->3160 3177->3048 3180->3048
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 1c2d28a4b4d1923454e08cb3fe27b72dfc3876b272648f6aa9b42a85e47afd24
                                                                                                                                                                                                            • Instruction ID: 43e49367b0b6739e18dd975752e7d81306140be7a57883210305ee73c05c6530
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c2d28a4b4d1923454e08cb3fe27b72dfc3876b272648f6aa9b42a85e47afd24
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 59E16E30704124EFD710DB6AE685A5DB7F4EF84314FA540A6F6859B392CB38EE81DB09
                                                                                                                                                                                                            Function 00468034 Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1649windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 004971B4: GetWindowRect.USER32(00000000), ref: 004971CA
                                                                                                                                                                                                            • LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 004683DD
                                                                                                                                                                                                              • Part of subcall function 0041DB00: GetObjectA.GDI32 ref: 0041DB2B
                                                                                                                                                                                                              • Part of subcall function 00467E10: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467EB3
                                                                                                                                                                                                              • Part of subcall function 00467E10: ExtractIconA.SHELL32 ref: 00467ED9
                                                                                                                                                                                                              • Part of subcall function 00467E10: ExtractIconA.SHELL32 ref: 00467F30
                                                                                                                                                                                                              • Part of subcall function 004677CC: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00468491,00000000,00000000,00000000,0000000C,00000000), ref: 004677E4
                                                                                                                                                                                                              • Part of subcall function 00497438: MulDiv.KERNEL32(0000000D,?,0000000D,0046887D), ref: 00497442
                                                                                                                                                                                                              • Part of subcall function 0042F188: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F1E4
                                                                                                                                                                                                              • Part of subcall function 0042F188: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F201
                                                                                                                                                                                                              • Part of subcall function 00497104: GetDC.USER32 ref: 00497126
                                                                                                                                                                                                              • Part of subcall function 00497104: SelectObject.GDI32(?,00000000), ref: 0049714C
                                                                                                                                                                                                              • Part of subcall function 00497104: ReleaseDC.USER32(00000000,?), ref: 0049719D
                                                                                                                                                                                                              • Part of subcall function 00497428: MulDiv.KERNEL32(0000004B,?,00000006,00497121,?,?,?), ref: 00497432
                                                                                                                                                                                                            • GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?,?,00000000,?), ref: 00469080
                                                                                                                                                                                                            • AppendMenuA.USER32 ref: 00469091
                                                                                                                                                                                                            • AppendMenuA.USER32 ref: 004690A9
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Menu$AppendExtractIconObject$AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadProcRectReleaseSelectSystemUserWindow
                                                                                                                                                                                                            • String ID: $(Default)$STOPIMAGE
                                                                                                                                                                                                            • API String ID: 616467991-770201673
                                                                                                                                                                                                            • Opcode ID: 533b5b9c69d50d4e3bf7389d015b08925e7f9e5915c964b06be795d887c19e03
                                                                                                                                                                                                            • Instruction ID: 80892e57212ece105f8354d293749779e47711168eff5a6823bea21c9da9ff55
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 533b5b9c69d50d4e3bf7389d015b08925e7f9e5915c964b06be795d887c19e03
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90F2E7786005108FCB00EB69D8D9F9977F5BF89304F1542BAE5049B36ADB78EC46CB4A
                                                                                                                                                                                                            Function 00476120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476179
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476256
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,0047628A,?,?,0049E1E4,00000000), ref: 00476264
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                            • String ID: unins$unins???.*
                                                                                                                                                                                                            • API String ID: 3541575487-1009660736
                                                                                                                                                                                                            • Opcode ID: 4d6b4c78c27d307665df1e659c75eb40dbe6a289c02ca47561d52f2f5fb83ddd
                                                                                                                                                                                                            • Instruction ID: eb89464c752a784b36226a23c26c23c5edadcf818cb3280f2000aa581376a5b5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4d6b4c78c27d307665df1e659c75eb40dbe6a289c02ca47561d52f2f5fb83ddd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11312E70600548ABDB50EB65CC81ADEBBADDB45314F5180F6A84CAB3A6DB389F418F58
                                                                                                                                                                                                            Function 004531A4 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00453207,?,?,-00000001,00000000), ref: 004531E1
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,00453207,?,?,-00000001,00000000), ref: 004531E9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFileFindFirstLast
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 873889042-0
                                                                                                                                                                                                            • Opcode ID: 1201cac6feb998a2fb112764d438cb0eb727cdb5a4391e78fe092c8218b0a9ce
                                                                                                                                                                                                            • Instruction ID: d0bf465202dae3429285692917932fac375c13b7b10a14b33624456fe0da4cd4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1201cac6feb998a2fb112764d438cb0eb727cdb5a4391e78fe092c8218b0a9ce
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FEF02371A046047BCB10DF7AAC0145EF7ACDB4577675046BBFC14D3291DB784F088558
                                                                                                                                                                                                            Function 0046EE04 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersion.KERNEL32(?,0046EE9A), ref: 0046EE0E
                                                                                                                                                                                                            • CoCreateInstance.OLE32(0049BB9C,00000000,00000001,0049BBAC,?,?,0046EE9A), ref: 0046EE2A
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateInstanceVersion
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1462612201-0
                                                                                                                                                                                                            • Opcode ID: 7e3b900fcc793c87492424567843667f4fc9824702b62168173c7bf035024e7d
                                                                                                                                                                                                            • Instruction ID: 784abeb2b863a263b0685f2ce256345c834679a9cfc70721c753cc97000ad865
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7e3b900fcc793c87492424567843667f4fc9824702b62168173c7bf035024e7d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2AF0E534241310EEFB11E72BDC4AB4A3BC4AB25714F14403BF144972A1E3EE94808B6F
                                                                                                                                                                                                            Function 004089B8 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InfoLocale
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2299586839-0
                                                                                                                                                                                                            • Opcode ID: 40f9e6ad7b9874a9b05efedc53f019727417c817c0661ecad43f37488e602a1d
                                                                                                                                                                                                            • Instruction ID: 37d1d3aac47cb6b8cd62020f591dd9ac8cec50bf03644e7f1bddec785b1dbc63
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40f9e6ad7b9874a9b05efedc53f019727417c817c0661ecad43f37488e602a1d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63E0227170021452C315A91A8C82AFAB24C9B18314F00427FB948E73C3EDB89E8042ED
                                                                                                                                                                                                            Function 00423FD4 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,?,004245A1,?,00000000,004245AC), ref: 00423FFE
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: NtdllProc_Window
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4255912815-0
                                                                                                                                                                                                            • Opcode ID: 15ec92afe3337674697e5aaff926351660f6d808b83c1ecc1d592f8d8ff41db7
                                                                                                                                                                                                            • Instruction ID: 626c949ff67c0b5daba62b8ffba664747ea83a29b03f4787c3cb7294a8149fcf
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 15ec92afe3337674697e5aaff926351660f6d808b83c1ecc1d592f8d8ff41db7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9CF0B379205608AF8B40DF99C588D4ABBE8AB4C260B058295B988CB321C234EE808F94
                                                                                                                                                                                                            Function 00455D38 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: NameUser
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2645101109-0
                                                                                                                                                                                                            • Opcode ID: aa3a47175e92b859a3c3631cc0a30abc799c89e82c4a450a6b7a51612d703bec
                                                                                                                                                                                                            • Instruction ID: 82cf1e81aeab4cdf4c711474db213eebdc1b2e178f500b1422eacd8e28b83923
                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa3a47175e92b859a3c3631cc0a30abc799c89e82c4a450a6b7a51612d703bec
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0AD0C27230460063C700AAA99C826AA359C8B84305F00883F3CC5DA2C3EABDDA4C5696
                                                                                                                                                                                                            Function 0042F9C0 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F9DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: NtdllProc_Window
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4255912815-0
                                                                                                                                                                                                            • Opcode ID: 2621fde08b5d071fc730d3c03362a0ac5d2de45ee12ad7e5c10e42539110ff87
                                                                                                                                                                                                            • Instruction ID: 416a4692ed3cb8c0a12f59f0b22837e163b9cfd3c66ebd18f18690eb3ad7abe4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2621fde08b5d071fc730d3c03362a0ac5d2de45ee12ad7e5c10e42539110ff87
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07D0A7B220010C7FDB00DE98D840D6B33BC9B8C700B90C826F945C7241D234EDA0CBB8
                                                                                                                                                                                                            Function 0046FE70 Relevance: 75.8, APIs: 1, Strings: 42, Instructions: 512registryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1317 46fe70-46fea2 1318 46fea4-46feab 1317->1318 1319 46febf 1317->1319 1320 46feb6-46febd 1318->1320 1321 46fead-46feb4 1318->1321 1322 46fec6-46fefe call 403634 call 403738 call 42e310 1319->1322 1320->1322 1321->1319 1321->1320 1329 46ff00-46ff14 call 403738 call 42e310 1322->1329 1330 46ff19-46ff42 call 403738 call 42e234 1322->1330 1329->1330 1338 46ff44-46ff4d call 46fb40 1330->1338 1339 46ff52-46ff7b call 46fc5c 1330->1339 1338->1339 1343 46ff8d-46ff90 call 403400 1339->1343 1344 46ff7d-46ff8b call 403494 1339->1344 1348 46ff95-46ffe0 call 46fc5c call 42c84c call 46fca4 call 46fc5c 1343->1348 1344->1348 1357 46fff6-470017 call 455d38 call 46fc5c 1348->1357 1358 46ffe2-46fff5 call 46fccc 1348->1358 1365 47006d-470074 1357->1365 1366 470019-47006c call 46fc5c call 4318a4 call 46fc5c call 4318a4 call 46fc5c 1357->1366 1358->1357 1367 470076-4700ae call 4318a4 call 46fc5c call 4318a4 call 46fc5c 1365->1367 1368 4700b4-4700bb 1365->1368 1366->1365 1400 4700b3 1367->1400 1372 4700bd-4700fb call 46fc5c * 3 1368->1372 1373 4700fc-470121 call 40b69c call 46fc5c 1368->1373 1372->1373 1392 470123-47012e call 47d578 1373->1392 1393 470130-470139 call 403494 1373->1393 1402 47013e-470149 call 47a04c 1392->1402 1393->1402 1400->1368 1407 470152 1402->1407 1408 47014b-470150 1402->1408 1409 470157-470321 call 403778 call 46fc5c call 47d578 call 46fca4 call 403494 call 40357c * 2 call 46fc5c call 403494 call 40357c * 2 call 46fc5c call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 call 46fca4 call 47d578 1407->1409 1408->1409 1472 470337-470345 call 46fccc 1409->1472 1473 470323-470335 call 46fc5c 1409->1473 1477 47034a 1472->1477 1478 47034b-470394 call 46fccc call 46fd00 call 46fc5c call 47d578 call 46fd64 1473->1478 1477->1478 1489 470396-4703d8 call 46fccc * 4 1478->1489 1490 4703de-4703eb 1478->1490 1520 4703dd 1489->1520 1492 4703f1-4703f8 1490->1492 1493 4704ba-4704c1 1490->1493 1497 470465-470474 1492->1497 1498 4703fa-470401 1492->1498 1495 4704c3-4704f9 call 4965d4 1493->1495 1496 47051b-470531 RegCloseKey 1493->1496 1495->1496 1501 470477-470484 1497->1501 1498->1497 1502 470403-470427 call 43106c 1498->1502 1505 470486-470493 1501->1505 1506 47049b-4704b4 call 4310a8 call 46fccc 1501->1506 1502->1501 1513 470429-47042a 1502->1513 1505->1506 1511 470495-470499 1505->1511 1518 4704b9 1506->1518 1511->1493 1511->1506 1516 47042c-470452 call 40b69c call 47a8a8 1513->1516 1524 470454-47045a call 43106c 1516->1524 1525 47045f-470461 1516->1525 1518->1493 1520->1490 1524->1525 1525->1516 1527 470463 1525->1527 1527->1501
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0046FC5C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,VtG,?,0049E1E4,?,0046FF73,?,00000000,00470532,?,_is1), ref: 0046FC7F
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,00470539,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,00470584,?,?,0049E1E4,00000000), ref: 0047052C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseValue
                                                                                                                                                                                                            • String ID: " /SILENT$5.5.9 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$VersionMajor$VersionMinor$_is1
                                                                                                                                                                                                            • API String ID: 3132538880-2925550972
                                                                                                                                                                                                            • Opcode ID: bc37eb7b33f48fd6375a2aa0431a5c1acc9702acff4f8118334c88b6a14bec13
                                                                                                                                                                                                            • Instruction ID: 8dffaa2781584bc6e947bd791be20880efee78ab32c439a28404737c84d0984c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bc37eb7b33f48fd6375a2aa0431a5c1acc9702acff4f8118334c88b6a14bec13
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8124F34A00108DBDB04EB55E991ADE77F5EF48304F60807BE804AB3A5EB79BD45CB59
                                                                                                                                                                                                            Function 004063F4 Relevance: 42.2, APIs: 7, Strings: 17, Instructions: 174libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 0040640F
                                                                                                                                                                                                            • GetVersion.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406416
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040642B
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406453
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 00406655
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 0040666B
                                                                                                                                                                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406676
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$HandleModulePolicyProcessVersion
                                                                                                                                                                                                            • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                                                                                                                                                                            • API String ID: 3297890031-2388063882
                                                                                                                                                                                                            • Opcode ID: 7c5204fbbc2168c2f62eadc490ed385a4cfd672bd01c7cc457884a48157f0828
                                                                                                                                                                                                            • Instruction ID: 52ceb319b1b10a2745084cc2a18598c2ecefae742a63aceaaee3a2f28509b87b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c5204fbbc2168c2f62eadc490ed385a4cfd672bd01c7cc457884a48157f0828
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7061F130A00109EBCB01FBA6D982D8E77B9AB44709B214077B405772E6DB3DEF199B5D
                                                                                                                                                                                                            Function 00484E68 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 2824 484e68-484e8d GetModuleHandleA GetProcAddress 2825 484e8f-484ea5 GetNativeSystemInfo GetProcAddress 2824->2825 2826 484ef4-484ef9 GetSystemInfo 2824->2826 2827 484efe-484f07 2825->2827 2828 484ea7-484eb2 GetCurrentProcess 2825->2828 2826->2827 2829 484f09-484f0d 2827->2829 2830 484f17-484f1e 2827->2830 2828->2827 2837 484eb4-484eb8 2828->2837 2831 484f0f-484f13 2829->2831 2832 484f20-484f27 2829->2832 2833 484f39-484f3e 2830->2833 2835 484f29-484f30 2831->2835 2836 484f15-484f32 2831->2836 2832->2833 2835->2833 2836->2833 2837->2827 2839 484eba-484ec1 call 452e60 2837->2839 2839->2827 2842 484ec3-484ed0 GetProcAddress 2839->2842 2842->2827 2843 484ed2-484ee9 GetModuleHandleA GetProcAddress 2842->2843 2843->2827 2844 484eeb-484ef2 2843->2844 2844->2827
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00484E79
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00484E86
                                                                                                                                                                                                            • GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484E94
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00484E9C
                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00484EA8
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00484EC9
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00484EDC
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00484EE2
                                                                                                                                                                                                            • GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484EF9
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
                                                                                                                                                                                                            • String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
                                                                                                                                                                                                            • API String ID: 2230631259-2623177817
                                                                                                                                                                                                            • Opcode ID: cd68709e737b022a93ba3f5ff6983bcc42b0d1d8f8071fae57a82298f7546d18
                                                                                                                                                                                                            • Instruction ID: 19f93fc1e60286517b98713993879556ba5b021e510ed05db2a10d1898c9039d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd68709e737b022a93ba3f5ff6983bcc42b0d1d8f8071fae57a82298f7546d18
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8110351109353A4E721B3796E46B7F25889B8031CF080C7F7B84666C6EA7CC845833F
                                                                                                                                                                                                            Function 00469A0C Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155registryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 2845 469a0c-469a44 call 47d578 2848 469c26-469c40 call 403420 2845->2848 2849 469a4a-469a5a call 47a06c 2845->2849 2854 469a5f-469aa4 call 407d44 call 403738 call 42e26c 2849->2854 2860 469aa9-469aab 2854->2860 2861 469ab1-469ac6 2860->2861 2862 469c1c-469c20 2860->2862 2863 469adb-469ae2 2861->2863 2864 469ac8-469ad6 call 42e19c 2861->2864 2862->2848 2862->2854 2866 469ae4-469b06 call 42e19c call 42e1b4 2863->2866 2867 469b0f-469b16 2863->2867 2864->2863 2866->2867 2884 469b08 2866->2884 2868 469b6f-469b76 2867->2868 2869 469b18-469b3d call 42e19c * 2 2867->2869 2873 469bbc-469bc3 2868->2873 2874 469b78-469b8a call 42e19c 2868->2874 2891 469b3f-469b48 call 431998 2869->2891 2892 469b4d-469b5f call 42e19c 2869->2892 2877 469bc5-469bf9 call 42e19c * 3 2873->2877 2878 469bfe-469c14 RegCloseKey 2873->2878 2885 469b8c-469b95 call 431998 2874->2885 2886 469b9a-469bac call 42e19c 2874->2886 2877->2878 2884->2867 2885->2886 2886->2873 2898 469bae-469bb7 call 431998 2886->2898 2891->2892 2892->2868 2902 469b61-469b6a call 431998 2892->2902 2898->2873 2902->2868
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,00469C26,?,?,00000001,00000000,00000000,00469C41,?,00000000,00000000,?), ref: 00469C0F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Inno Setup: Selected Components, xrefs: 00469B2E
                                                                                                                                                                                                            • Inno Setup: User Info: Name, xrefs: 00469BCB
                                                                                                                                                                                                            • Inno Setup: App Path, xrefs: 00469ACE
                                                                                                                                                                                                            • Inno Setup: User Info: Serial, xrefs: 00469BF1
                                                                                                                                                                                                            • %s\%s_is1, xrefs: 00469A89
                                                                                                                                                                                                            • Inno Setup: Setup Type, xrefs: 00469B1E
                                                                                                                                                                                                            • Inno Setup: Icon Group, xrefs: 00469AEA
                                                                                                                                                                                                            • Inno Setup: User Info: Organization, xrefs: 00469BDE
                                                                                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00469A6B
                                                                                                                                                                                                            • Inno Setup: Deselected Tasks, xrefs: 00469B9D
                                                                                                                                                                                                            • Inno Setup: Deselected Components, xrefs: 00469B50
                                                                                                                                                                                                            • Inno Setup: Selected Tasks, xrefs: 00469B7B
                                                                                                                                                                                                            • Inno Setup: No Icons, xrefs: 00469AF7
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseOpen
                                                                                                                                                                                                            • String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                                                                                                            • API String ID: 47109696-1093091907
                                                                                                                                                                                                            • Opcode ID: 4c47772e7264278c1f1c36682a28658a2c65fb6567e9afa7e67a01330b73d777
                                                                                                                                                                                                            • Instruction ID: c7de7197f4a769c9e7c3cd52df4c64fbb683598124d789e1de9a85ab418445f9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4c47772e7264278c1f1c36682a28658a2c65fb6567e9afa7e67a01330b73d777
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4519430A006089BCB15DB66D941BEEB7F9EF49304F5084BAE84067395E7B8AF01CB5D
                                                                                                                                                                                                            Function 0047D978 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 190COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042DCE8: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,0045451C,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D), ref: 0042DCFB
                                                                                                                                                                                                              • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                                              • Part of subcall function 0042DD40: GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004542C2,00000000,00454365,?,?,00000000,00000000,00000000,00000000,00000000,?,00454755,00000000), ref: 0042DD5A
                                                                                                                                                                                                              • Part of subcall function 0042DD40: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DD60
                                                                                                                                                                                                            • SHGetKnownFolderPath.SHELL32(0049BD44,00008000,00000000,?,00000000,0047DC4C), ref: 0047DB52
                                                                                                                                                                                                            • CoTaskMemFree.OLE32(?,0047DB95), ref: 0047DB88
                                                                                                                                                                                                              • Part of subcall function 0042D658: GetEnvironmentVariableA.KERNEL32(00000000,00000000,00000000,?,?,00000000,0042DE8E,00000000,0042DF20,?,?,?,0049D62C,00000000,00000000), ref: 0042D683
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$AddressEnvironmentFolderFreeHandleKnownModulePathProcSystemTaskVariableWindows
                                                                                                                                                                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                                                                                                                            • API String ID: 3771764029-544719455
                                                                                                                                                                                                            • Opcode ID: 6ec6ff986ef5dd5265772e09c3445ba75f4a3d0a7ec86f160005d9c17a7e769a
                                                                                                                                                                                                            • Instruction ID: 0fe7c2c5921331aa3b985ab989dbf77b3a087c61dea5e3792aec770f31e1cce1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ec6ff986ef5dd5265772e09c3445ba75f4a3d0a7ec86f160005d9c17a7e769a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A061B234E24204AFDB11EFA6D84269E7B78EF84318F51C57BE404AB391D77CAA41CA1D
                                                                                                                                                                                                            Function 0045D3BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 2988 45d3bc-45d3d4 2989 45d3e5-45d3ec 2988->2989 2990 45d3d6-45d3e3 GetVersion 2988->2990 2992 45d635-45d63e 2989->2992 2990->2989 2991 45d3f1-45d428 GetModuleHandleA GetProcAddress * 3 2990->2991 2993 45d436-45d43d 2991->2993 2994 45d42a-45d42e 2991->2994 2993->2992 2994->2993 2995 45d430-45d434 2994->2995 2995->2993 2996 45d442-45d480 call 45d2c4 2995->2996 3000 45d482-45d487 call 4031bc 2996->3000 3001 45d48c-45d4b1 call 406e2c 2996->3001 3000->2992 3006 45d4b7-45d4b8 3001->3006 3007 45d54e-45d568 3001->3007 3008 45d4ba-45d4de AllocateAndInitializeSid 3006->3008 3012 45d579-45d59a 3007->3012 3013 45d56a-45d574 call 4031bc * 2 3007->3013 3010 45d504-45d548 3008->3010 3011 45d4e0-45d4ec GetLastError 3008->3011 3010->3007 3010->3008 3014 45d4f5-45d4ff call 4031bc * 2 3011->3014 3015 45d4ee 3011->3015 3019 45d59e-45d5b7 LocalFree 3012->3019 3013->2992 3014->2992 3015->3014
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersion.KERNEL32 ref: 0045D3D6
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045D3F6
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045D403
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045D410
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045D41E
                                                                                                                                                                                                              • Part of subcall function 0045D2C4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045D363,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045D33D
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D611,?,?,00000000), ref: 0045D4D7
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045D611,?,?,00000000), ref: 0045D4E0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
                                                                                                                                                                                                            • String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
                                                                                                                                                                                                            • API String ID: 59345061-4263478283
                                                                                                                                                                                                            • Opcode ID: 0336fb35fd749793045182d1361f828010284629c3cee937cf748adbc12729e9
                                                                                                                                                                                                            • Instruction ID: 1fdbc06bdf38f6500452038ca5d2f44928d617c4984e35671f0aa61f53d98d16
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0336fb35fd749793045182d1361f828010284629c3cee937cf748adbc12729e9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D35183B1D00208EFDB20DF99C841BAEB7B8EF49315F14806AF904B7382D6789945CF69
                                                                                                                                                                                                            Function 0047E184 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 104libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 3295 47e184-47e1d6 call 42dd14 call 42c84c call 4035c0 call 452d1c 3304 47e1f3-47e1fa 3295->3304 3305 47e1d8-47e1df 3295->3305 3308 47e205-47e207 3304->3308 3309 47e1fc-47e203 3304->3309 3306 47e1e1-47e1e8 3305->3306 3307 47e209 3305->3307 3306->3304 3310 47e1ea-47e1f1 3306->3310 3311 47e20b-47e20d 3307->3311 3308->3311 3309->3307 3309->3308 3310->3304 3310->3307 3312 47e20f-47e234 call 42c84c call 4035c0 call 47de48 3311->3312 3313 47e239-47e26e call 42dd14 call 42c84c call 40357c call 42e7e4 * 2 3311->3313 3312->3313 3328 47e273-47e27f 3313->3328 3329 47e2a6-47e2c0 GetProcAddress 3328->3329 3330 47e281-47e2a1 call 407d44 call 453aac 3328->3330 3332 47e2c2-47e2c7 call 453aac 3329->3332 3333 47e2cc-47e2ee call 403420 call 403400 3329->3333 3330->3329 3332->3333
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetFolderPathA), ref: 0047E2B1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressDirectoryProcSystem
                                                                                                                                                                                                            • String ID: 2$Failed to get address of SHGetFolderPath function$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$shell32.dll$shfolder.dll
                                                                                                                                                                                                            • API String ID: 996212319-3422985891
                                                                                                                                                                                                            • Opcode ID: 2ee55fa07f5402e21f3b06f2d1869faf56609dd587cb054fbf2c8bfa1446e0f1
                                                                                                                                                                                                            • Instruction ID: 9758cc0716918fe71002c31ee1435c1447d2ac946059de1b269defc554b01a12
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ee55fa07f5402e21f3b06f2d1869faf56609dd587cb054fbf2c8bfa1446e0f1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C9415830A00119DFDB10DFA6C9415DE77B8FB48309F50C9BBE414A7252D7389E05CB59
                                                                                                                                                                                                            Function 00423CC4 Relevance: 15.1, APIs: 10, Instructions: 98windowregistryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 3341 423cc4-423cce 3342 423df7-423dfb 3341->3342 3343 423cd4-423cf6 call 41f814 GetClassInfoA 3341->3343 3346 423d27-423d30 GetSystemMetrics 3343->3346 3347 423cf8-423d0f RegisterClassA 3343->3347 3349 423d32 3346->3349 3350 423d35-423d3f GetSystemMetrics 3346->3350 3347->3346 3348 423d11-423d22 call 40910c call 40311c 3347->3348 3348->3346 3349->3350 3352 423d41 3350->3352 3353 423d44-423da0 call 403738 call 4062f8 call 403400 call 423a9c SetWindowLongA 3350->3353 3352->3353 3364 423da2-423db5 call 4245c8 SendMessageA 3353->3364 3365 423dba-423de8 GetSystemMenu DeleteMenu * 2 3353->3365 3364->3365 3365->3342 3367 423dea-423df2 DeleteMenu 3365->3367 3367->3342
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0041F814: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F1F4,?,00423CDF,0042405C,0041F1F4), ref: 0041F832
                                                                                                                                                                                                            • GetClassInfoA.USER32(00400000,00423ACC), ref: 00423CEF
                                                                                                                                                                                                            • RegisterClassA.USER32(0049B630), ref: 00423D07
                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000000), ref: 00423D29
                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000001), ref: 00423D38
                                                                                                                                                                                                            • SetWindowLongA.USER32(004108B0,000000FC,00423ADC,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C,0041F1F4), ref: 00423D94
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 00423DB5
                                                                                                                                                                                                            • GetSystemMenu.USER32(004108B0,00000000,004108B0,000000FC,00423ADC,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C,0041F1F4), ref: 00423DC0
                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,004108B0,00000000,004108B0,000000FC,00423ADC,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00423DCF
                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,004108B0,00000000,004108B0,000000FC,00423ADC,00000000,00400000,00000000,00000000,00000000), ref: 00423DDC
                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,004108B0,00000000,004108B0,000000FC,00423ADC,00000000,00400000), ref: 00423DF2
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 183575631-0
                                                                                                                                                                                                            • Opcode ID: 3116a5487ebf53a9d66fce753d5cf134baefce0d2e8bfc1e8daa4fcba584e635
                                                                                                                                                                                                            • Instruction ID: 7df3f4c256e16cf88ed5bb8a347b5b3a25df550de305930316ee8fcfc6e0617b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3116a5487ebf53a9d66fce753d5cf134baefce0d2e8bfc1e8daa4fcba584e635
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 203164B17502106AEB10AF65DC86F6A3698D714709F60017AFA40EF2D7C6BDED40476D
                                                                                                                                                                                                            Function 00482C40 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 175windowCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 3369 482c40-482c6f call 45850c 3372 482d3c-482d4b 3369->3372 3373 482c75-482c77 3369->3373 3381 482d4d-482d4e 3372->3381 3382 482d7e-482d98 3372->3382 3374 482c79-482cb9 call 496758 3373->3374 3375 482cdb-482d37 call 4965d4 call 42e7d4 3373->3375 3374->3375 3375->3372 3384 482d50-482d7c call 45304c 3381->3384 3389 482dca-482de0 call 46e178 3382->3389 3390 482d9a-482dc8 call 453554 3382->3390 3384->3382 3399 482dee-482df5 3389->3399 3400 482de2-482de7 3389->3400 3390->3389 3402 482e02-482e09 3399->3402 3403 482df7-482dfd FreeLibrary 3399->3403 3400->3399 3405 482e0b-482e11 FreeLibrary 3402->3405 3406 482e16-482e1b call 47e3d0 call 47e0a8 3402->3406 3403->3402 3405->3406 3410 482e20-482e27 3406->3410 3411 482e29-482e30 3410->3411 3412 482e43-482e5c call 457a90 call 42efa4 3410->3412 3411->3412 3414 482e32-482e3c call 45850c 3411->3414 3420 482e5e-482e6f call 45850c 3412->3420 3421 482e8f-482ea4 call 403400 3412->3421 3414->3412 3426 482e8a call 4803c8 3420->3426 3427 482e71-482e88 SendNotifyMessageA 3420->3427 3426->3421 3427->3421
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00482DFD
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00482E11
                                                                                                                                                                                                            • SendNotifyMessageA.USER32(000104F4,00000496,00002710,00000000), ref: 00482E83
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • DeinitializeSetup, xrefs: 00482CF9
                                                                                                                                                                                                            • Not restarting Windows because Setup is being run from the debugger., xrefs: 00482E32
                                                                                                                                                                                                            • Deinitializing Setup., xrefs: 00482C5E
                                                                                                                                                                                                            • GetCustomSetupExitCode, xrefs: 00482C9D
                                                                                                                                                                                                            • Restarting Windows., xrefs: 00482E5E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FreeLibrary$MessageNotifySend
                                                                                                                                                                                                            • String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
                                                                                                                                                                                                            • API String ID: 3817813901-1884538726
                                                                                                                                                                                                            • Opcode ID: e5211ca08898a9106291910dfe2dba0549e66411077619477168a2445555e2a8
                                                                                                                                                                                                            • Instruction ID: 87ca8a1097935e6c4637b022688acffdd958b69fb8a4991d3dc3ea9519d40e2c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e5211ca08898a9106291910dfe2dba0549e66411077619477168a2445555e2a8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F851AA30600200EFD711EF6AD949B6E7BE4EB19718F51897BE800D72A1DBB89C45CB5D
                                                                                                                                                                                                            Function 0042FA00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowregistryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetActiveWindow.USER32(00000000,0042FB0F,?,?,?,00000001,00000000,?,00458B4E,00000000,0049D62C), ref: 0042FA2F
                                                                                                                                                                                                            • GetFocus.USER32(00000000,0042FB0F,?,?,?,00000001,00000000,?,00458B4E,00000000,0049D62C), ref: 0042FA37
                                                                                                                                                                                                            • RegisterClassA.USER32(0049B7AC), ref: 0042FA58
                                                                                                                                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042FB2C,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042FA96
                                                                                                                                                                                                            • CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042FADC
                                                                                                                                                                                                            • ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042FAED
                                                                                                                                                                                                            • SetFocus.USER32(00000000,00000000,0042FB0F,?,?,?,00000001,00000000,?,00458B4E,00000000,0049D62C), ref: 0042FAF4
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$CreateFocus$ActiveClassRegisterShow
                                                                                                                                                                                                            • String ID: TWindowDisabler-Window
                                                                                                                                                                                                            • API String ID: 3167913817-1824977358
                                                                                                                                                                                                            • Opcode ID: fec87ca07d7290a4a57da710bc1ddf3081f88a8d4dfe440d170acd63eb0d43c3
                                                                                                                                                                                                            • Instruction ID: be32ada46e774ba6914a87ad40c025b2c9e25f6d11d521099bf08b28c91ad89a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fec87ca07d7290a4a57da710bc1ddf3081f88a8d4dfe440d170acd63eb0d43c3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E121B570B40720BAE210EB65EC03F1A76B4EB04B04FA1813BF504BB2D1D7B96C1487AD
                                                                                                                                                                                                            Function 00453934 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 56libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453956
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045395C
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453970
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453976
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                                                                                                                                                                            • API String ID: 1646373207-2130885113
                                                                                                                                                                                                            • Opcode ID: 82da2a28b5003144a588bfd6711196aeba7955ca25a5e24eec6645e80d453e72
                                                                                                                                                                                                            • Instruction ID: a193a4472c2853cf72940ff7690ab9972ac4b2f80f688c1a00737a0c34b4483d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82da2a28b5003144a588bfd6711196aeba7955ca25a5e24eec6645e80d453e72
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B211E3B0A00244BBDB00EF66DC03F5E7BA8D70475AF60447BF84166282D6BC9F088A2D
                                                                                                                                                                                                            Function 00467E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 00467EB3
                                                                                                                                                                                                            • ExtractIconA.SHELL32 ref: 00467ED9
                                                                                                                                                                                                              • Part of subcall function 00467D4C: DrawIconEx.USER32 ref: 00467DE7
                                                                                                                                                                                                              • Part of subcall function 00467D4C: DestroyCursor.USER32(00000000), ref: 00467DFD
                                                                                                                                                                                                            • ExtractIconA.SHELL32 ref: 00467F30
                                                                                                                                                                                                            • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00467F91
                                                                                                                                                                                                            • ExtractIconA.SHELL32 ref: 00467FB7
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Icon$Extract$FileInfo$CursorDestroyDraw
                                                                                                                                                                                                            • String ID: c:\directory$shell32.dll
                                                                                                                                                                                                            • API String ID: 3376378930-1375355148
                                                                                                                                                                                                            • Opcode ID: 5f39b0330533c07a7ed62396f03ad1b0497855389b17cb99d84a9eecbd47350c
                                                                                                                                                                                                            • Instruction ID: adf232676f9dc8545d434ff73a7213ff4163269ef5d9f53791e9b27a0c2465ea
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f39b0330533c07a7ed62396f03ad1b0497855389b17cb99d84a9eecbd47350c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64516D70644208AFD750EF65CC85FDEBBA8EB48308F1085A7F5089B391DA399E85CB59
                                                                                                                                                                                                            Function 00430DE0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterClipboardFormatA.USER32 ref: 00430DE8
                                                                                                                                                                                                            • RegisterClipboardFormatA.USER32 ref: 00430DF7
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00430E11
                                                                                                                                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 00430E32
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
                                                                                                                                                                                                            • String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
                                                                                                                                                                                                            • API String ID: 4130936913-2943970505
                                                                                                                                                                                                            • Opcode ID: 50811bd1b0b0bc88e10382fd261453b7235327efbd1eb80bce93881789032006
                                                                                                                                                                                                            • Instruction ID: dd09876b0f9c3184917b018614b917cdad608ae665b29eb2c15b2e3af62d5cdc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 50811bd1b0b0bc88e10382fd261453b7235327efbd1eb80bce93881789032006
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98F082B09483409ED300EF26890371A7AE0AB58708F404F3FB48CA2291D7399910CB1F
                                                                                                                                                                                                            Function 00455778 Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455994,00455994,?,00455994,00000000), ref: 00455922
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00455994,00455994,?,00455994), ref: 0045592F
                                                                                                                                                                                                              • Part of subcall function 004556E4: WaitForInputIdle.USER32 ref: 00455710
                                                                                                                                                                                                              • Part of subcall function 004556E4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF,?,?,?,00000000,?,?,00455943,?,?,?,00000044), ref: 00455732
                                                                                                                                                                                                              • Part of subcall function 004556E4: GetExitCodeProcess.KERNEL32(?,?), ref: 00455741
                                                                                                                                                                                                              • Part of subcall function 004556E4: CloseHandle.KERNEL32(?,0045576E,00455767,?,?,?,00000000,?,?,00455943,?,?,?,00000044,00000000,00000000), ref: 00455761
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                                                                                                                                                                            • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                                                                                                                                                                            • API String ID: 854858120-615399546
                                                                                                                                                                                                            • Opcode ID: 3aef928493a85a336b4fdc45b2ef872796c76b537a4fe3cf952342f788ba9a48
                                                                                                                                                                                                            • Instruction ID: 19165e213e9236b89a5b086241af4e71530f18fc7e42ed674525c8849c01d6f6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3aef928493a85a336b4fdc45b2ef872796c76b537a4fe3cf952342f788ba9a48
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F4514A7060074DABDB11EF96C892BEEBBB9AF44315F50403BF804BB282D77C99198759
                                                                                                                                                                                                            Function 00423ADC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • LoadIconA.USER32(00400000,MAINICON), ref: 00423B6C
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423B99
                                                                                                                                                                                                            • OemToCharA.USER32(?,?), ref: 00423BAC
                                                                                                                                                                                                            • CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423BEC
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Char$FileIconLoadLowerModuleName
                                                                                                                                                                                                            • String ID: 2$MAINICON
                                                                                                                                                                                                            • API String ID: 3935243913-3181700818
                                                                                                                                                                                                            • Opcode ID: 5bb029359a14fe80b98f3d31a1bddee7a09f53b94ef6d4528e1ea31487fdaa44
                                                                                                                                                                                                            • Instruction ID: e5d3831d9b5483d4bbbd2f836839ca6b10e9aa02fde8f17f2ef2fb4492c3d901
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5bb029359a14fe80b98f3d31a1bddee7a09f53b94ef6d4528e1ea31487fdaa44
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6031A271A042549ADB10EF29C8C57C67BE8AF14308F4045BAE844DB383D7BED988CB59
                                                                                                                                                                                                            Function 00419388 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(00000000), ref: 0041938D
                                                                                                                                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 004193AE
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004193C9
                                                                                                                                                                                                            • GlobalAddAtomA.KERNEL32(00000000), ref: 004193EA
                                                                                                                                                                                                              • Part of subcall function 00423518: GetDC.USER32 ref: 0042356E
                                                                                                                                                                                                              • Part of subcall function 00423518: EnumFontsA.GDI32(00000000,00000000,004234B8,004108B0,00000000,?,?,00000000,?,00419423,00000000,?,?,?,00000001), ref: 00423581
                                                                                                                                                                                                              • Part of subcall function 00423518: GetDeviceCaps.GDI32 ref: 00423589
                                                                                                                                                                                                              • Part of subcall function 00423518: ReleaseDC.USER32(00000000,00000000), ref: 00423594
                                                                                                                                                                                                              • Part of subcall function 00423ADC: LoadIconA.USER32(00400000,MAINICON), ref: 00423B6C
                                                                                                                                                                                                              • Part of subcall function 00423ADC: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423B99
                                                                                                                                                                                                              • Part of subcall function 00423ADC: OemToCharA.USER32(?,?), ref: 00423BAC
                                                                                                                                                                                                              • Part of subcall function 00423ADC: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00419436,00000000,?,?,?,00000001), ref: 00423BEC
                                                                                                                                                                                                              • Part of subcall function 0041F568: GetVersion.KERNEL32(?,00419440,00000000,?,?,?,00000001), ref: 0041F576
                                                                                                                                                                                                              • Part of subcall function 0041F568: SetErrorMode.KERNEL32(00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F592
                                                                                                                                                                                                              • Part of subcall function 0041F568: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F59E
                                                                                                                                                                                                              • Part of subcall function 0041F568: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F5AC
                                                                                                                                                                                                              • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F5DC
                                                                                                                                                                                                              • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F605
                                                                                                                                                                                                              • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F61A
                                                                                                                                                                                                              • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F62F
                                                                                                                                                                                                              • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F644
                                                                                                                                                                                                              • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F659
                                                                                                                                                                                                              • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F66E
                                                                                                                                                                                                              • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F683
                                                                                                                                                                                                              • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F698
                                                                                                                                                                                                              • Part of subcall function 0041F568: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6AD
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$CapsDeviceEnumFileFontsIconLibraryLowerModuleNameProcessReleaseThreadVersion
                                                                                                                                                                                                            • String ID: ControlOfs%.8X%.8X$Delphi%.8X
                                                                                                                                                                                                            • API String ID: 316262546-2767913252
                                                                                                                                                                                                            • Opcode ID: e4565b8fba9480968b1ec32b488455297d6f31b702462cc9ec0cccc8cb2a2db4
                                                                                                                                                                                                            • Instruction ID: 7870b9ea93aa7f75565cd31cdf92f475c288cd9ab0443d66b722f1effdfa130a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e4565b8fba9480968b1ec32b488455297d6f31b702462cc9ec0cccc8cb2a2db4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8D112C70A182419AC300FF36D44279A7AE09BA430CF50893FF488AB3A1DB3D9D458B5E
                                                                                                                                                                                                            Function 00413A8C Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetWindowLongA.USER32(?,000000FC,?), ref: 00413AB4
                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 00413ABF
                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000F4), ref: 00413AD1
                                                                                                                                                                                                            • SetWindowLongA.USER32(?,000000F4,?,?,000000F4,?,000000F0,?,000000FC,?), ref: 00413AE4
                                                                                                                                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 00413AFB
                                                                                                                                                                                                            • SetPropA.USER32(?,00000000,00000000), ref: 00413B12
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: LongWindow$Prop
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3887896539-0
                                                                                                                                                                                                            • Opcode ID: a72ee32d6cac1f66b8d23ea34dc7313db56b2b1373a44c7e0100784739caab29
                                                                                                                                                                                                            • Instruction ID: a594f7604add2a8bfce9427623ad02c9736cb33a5a72341fbb506abd62de3718
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a72ee32d6cac1f66b8d23ea34dc7313db56b2b1373a44c7e0100784739caab29
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0811CC75500244BFDF00DF99ED88E9A3BE8EB09364F104276B914DB2E1D739D990CB94
                                                                                                                                                                                                            Function 00401A90 Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0049D420), ref: 00401ABD
                                                                                                                                                                                                            • LocalFree.KERNEL32(00000000,00000000,00401B68), ref: 00401ACF
                                                                                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401AEE
                                                                                                                                                                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401B68), ref: 00401B2D
                                                                                                                                                                                                            • RtlLeaveCriticalSection.KERNEL32 ref: 00401B58
                                                                                                                                                                                                            • RtlDeleteCriticalSection.KERNEL32(0049D420), ref: 00401B62
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3782394904-0
                                                                                                                                                                                                            • Opcode ID: a09964db7d5e1398f2afb7250b5a8c8ddfedb2b5ecba3fe18733cc428a63f314
                                                                                                                                                                                                            • Instruction ID: 86217af8f0c65890f5da76d4fe10d609cc5e2f7049d93a5e71f2b830536aceac
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a09964db7d5e1398f2afb7250b5a8c8ddfedb2b5ecba3fe18733cc428a63f314
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7A11BF70E003405AEB15AB659D82B267BE4976570CF44007BF50067AF1D77CB840C76E
                                                                                                                                                                                                            Function 004730AC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(000000FF,00000000,00000000,0047327D,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639), ref: 00473259
                                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,00473284,0047327D,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639,?), ref: 00473277
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(000000FF,00000000,00000000,0047339F,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639), ref: 0047337B
                                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,004733A6,0047339F,I,?,?,I,00000000,0047346D,?,00000000,?,00000000,?,00473639,?), ref: 00473399
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Find$CloseFileNext
                                                                                                                                                                                                            • String ID: I
                                                                                                                                                                                                            • API String ID: 2066263336-1966777607
                                                                                                                                                                                                            • Opcode ID: 8b65bf247db3295ca275b67f998f10653201df018fbb24eda57c1ca99500e988
                                                                                                                                                                                                            • Instruction ID: 1af051264105f0c3ac5173717805306f181c97d1b343904b0a5707565e1f6f82
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8b65bf247db3295ca275b67f998f10653201df018fbb24eda57c1ca99500e988
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2C13C7490425DAFCF11DFA5C881ADEBBB9FF49304F5081AAE808A3351D7399A46CF54
                                                                                                                                                                                                            Function 00455E74 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0045600B,?,00000000,0045604B), ref: 00455F51
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • WININIT.INI, xrefs: 00455F80
                                                                                                                                                                                                            • PendingFileRenameOperations2, xrefs: 00455F20
                                                                                                                                                                                                            • PendingFileRenameOperations, xrefs: 00455EF0
                                                                                                                                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00455ED4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseOpen
                                                                                                                                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
                                                                                                                                                                                                            • API String ID: 47109696-2199428270
                                                                                                                                                                                                            • Opcode ID: d50b001d9c5861cf59dff7f380f4b5b732c1d3e96307ee4737eba963c52de0e7
                                                                                                                                                                                                            • Instruction ID: cd3286cbb97796e9ecd700c4ab963dac99c65abdd87cbf21601b40f17af9d083
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d50b001d9c5861cf59dff7f380f4b5b732c1d3e96307ee4737eba963c52de0e7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1551B930E001089FDB11EF61DC51ADEB7B9EF44705F5085BBE804A72D2DB39AE45CA58
                                                                                                                                                                                                            Function 0047DEA0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047DFF6,?,?,00000000,0049D62C,00000000,00000000,?,00499E21,00000000,00499FCA,?,00000000), ref: 0047DF33
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,0047DFF6,?,?,00000000,0049D62C,00000000,00000000,?,00499E21,00000000,00499FCA,?,00000000), ref: 0047DF3C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                            • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                                                                                                                                                                                            • API String ID: 1375471231-2952887711
                                                                                                                                                                                                            • Opcode ID: 11c41cff4b2e26d29b59e317b5d01f68a09a239768e9d902b03435ecaad13ccb
                                                                                                                                                                                                            • Instruction ID: ecaa8d991a706e785fb0a456308ec2ceb04ba6e672c042181299f5b248b5f278
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 11c41cff4b2e26d29b59e317b5d01f68a09a239768e9d902b03435ecaad13ccb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A2414634A101099BCB01EF95DC81ADEB7B9EF44309F50847BE901B7392DB38AE05CB69
                                                                                                                                                                                                            Function 0042E294 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegDeleteKeyA.ADVAPI32 ref: 0042E2A0
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042E43B,00000000,0042E453,?,?,?,?,00000006,?,00000000,00499145), ref: 0042E2BB
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E2C1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressDeleteHandleModuleProc
                                                                                                                                                                                                            • String ID: RegDeleteKeyExA$advapi32.dll
                                                                                                                                                                                                            • API String ID: 588496660-1846899949
                                                                                                                                                                                                            • Opcode ID: ec6d5e68239a8fd64e2f61c23397c604527ea817bc29ae7d62183104243c5598
                                                                                                                                                                                                            • Instruction ID: a3ecee3a08e4bdafa542c89306e26d0a5ab5c090d3d5ae483566a3001d088d92
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ec6d5e68239a8fd64e2f61c23397c604527ea817bc29ae7d62183104243c5598
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B8E065B0740234EAD7142A66BC4AFA7260CEB54726F940877F10A661D187BC1C40D66C
                                                                                                                                                                                                            Function 0046C7D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 320COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • NextButtonClick, xrefs: 0046C90C
                                                                                                                                                                                                            • PrepareToInstall failed: %s, xrefs: 0046CB2E
                                                                                                                                                                                                            • Need to restart Windows? %s, xrefs: 0046CB55
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: Need to restart Windows? %s$NextButtonClick$PrepareToInstall failed: %s
                                                                                                                                                                                                            • API String ID: 0-2329492092
                                                                                                                                                                                                            • Opcode ID: ebfc2607376cb04f425a2d3c00381ecc1694a3302aa6984b8e16fe089a6463b4
                                                                                                                                                                                                            • Instruction ID: 93777efb9077a0228fe374709ad1741880755db4a3f7640889f56f3bdeecc4c5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ebfc2607376cb04f425a2d3c00381ecc1694a3302aa6984b8e16fe089a6463b4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9CD17F34A00108DFCB10EFA9C585AED7BF5EF49304F6444BAE444AB352E738AE45DB5A
                                                                                                                                                                                                            Function 00484470 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetActiveWindow.USER32(?,?,00000000,004847C1), ref: 00484594
                                                                                                                                                                                                            • SHChangeNotify.SHELL32 ref: 00484632
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ActiveChangeNotifyWindow
                                                                                                                                                                                                            • String ID: $Need to restart Windows? %s
                                                                                                                                                                                                            • API String ID: 1160245247-4200181552
                                                                                                                                                                                                            • Opcode ID: 34477d42e93b382d78fd1b3fe4f375c07bfc6d549a7fd2ae5468f78b95871883
                                                                                                                                                                                                            • Instruction ID: cbf7044c9224e5df34f4324165486d78489046a6efa1a602e4c0c9b5677eb74d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34477d42e93b382d78fd1b3fe4f375c07bfc6d549a7fd2ae5468f78b95871883
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C591A334A042459FDB10FB66D885B9D77E0AF5A308F1444BBE800973A2D77CAD45CB5E
                                                                                                                                                                                                            Function 00454868 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 200fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00454AAE,?,00000000,00454B22,?,?,-00000001,00000000,?,0047E107,00000000,0047E054,00000000), ref: 00454A8A
                                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,00454AB5,00454AAE,?,00000000,00454B22,?,?,-00000001,00000000,?,0047E107,00000000,0047E054,00000000,00000000), ref: 00454AA8
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Find$CloseFileNext
                                                                                                                                                                                                            • String ID: .H$ .H
                                                                                                                                                                                                            • API String ID: 2066263336-1676226347
                                                                                                                                                                                                            • Opcode ID: ff4ed68c57a0d298832a8e289a05f0a49072924424f8e3e4963c38c144bad6ce
                                                                                                                                                                                                            • Instruction ID: 86a97b531f1ad2b4b7463d4220b8e0547854eedc1a857b6a9afda59406c2b972
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff4ed68c57a0d298832a8e289a05f0a49072924424f8e3e4963c38c144bad6ce
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CF81A43490428DAFCF11DF65C8417EFBBB4AF89309F1440A6D8546B392C3399E8ACB58
                                                                                                                                                                                                            Function 00470938 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00470B35,?,?,0049E1E4,00000000), ref: 00470A12
                                                                                                                                                                                                            • SHChangeNotify.SHELL32 ref: 00470A8C
                                                                                                                                                                                                            • SHChangeNotify.SHELL32 ref: 00470AB1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ChangeNotify$ErrorFullLastNamePath
                                                                                                                                                                                                            • String ID: Creating directory: %s
                                                                                                                                                                                                            • API String ID: 2451617938-483064649
                                                                                                                                                                                                            • Opcode ID: 519d604a295cfca3f5bc7865948506fb75fa43ea9c4cb787d6d2d3d896bd866d
                                                                                                                                                                                                            • Instruction ID: 27f0dcb835b35bf1686b0556d16ec1317b7bae4cbab61287d01ee882f408922b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 519d604a295cfca3f5bc7865948506fb75fa43ea9c4cb787d6d2d3d896bd866d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0251FE74E01248ABDB01DFA5C982BDEB7F5AF48308F50856AE844B7382D7785F04CB59
                                                                                                                                                                                                            Function 0045553C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 004555EA
                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,004556B0), ref: 00455654
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressByteCharMultiProcWide
                                                                                                                                                                                                            • String ID: SfcIsFileProtected$sfc.dll
                                                                                                                                                                                                            • API String ID: 2508298434-591603554
                                                                                                                                                                                                            • Opcode ID: f7e58a0fd106200e4f3bc04200b2cacc58717943215cb6059fe45d01fbc32bb5
                                                                                                                                                                                                            • Instruction ID: f46810b5b314b431af4f43299c3fabe32507941823b9175d405aae5aeba4d308
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7e58a0fd106200e4f3bc04200b2cacc58717943215cb6059fe45d01fbc32bb5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9141A470A00618AFEB20DF55DC95BAD77B8AB04319F5080B7E90CA7292D7789F48CE1D
                                                                                                                                                                                                            Function 00452C54 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • 74D41520.VERSION(00000000,?,?,?,?), ref: 00452C74
                                                                                                                                                                                                            • 74D41500.VERSION(00000000,?,00000000,?,00000000,00452CEF,?,00000000,?,?,?,?), ref: 00452CA1
                                                                                                                                                                                                            • 74D41540.VERSION(?,00452D18,?,?,00000000,?,00000000,?,00000000,00452CEF,?,00000000,?,?,?,?), ref: 00452CBB
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: D41500D41520D41540
                                                                                                                                                                                                            • String ID: )-E
                                                                                                                                                                                                            • API String ID: 2153611984-3997256589
                                                                                                                                                                                                            • Opcode ID: 1e3fa64680b4daa2d15fd70f35a4d6916cc241641b57064dc1621c371eabb0d9
                                                                                                                                                                                                            • Instruction ID: 50707f88950aac898d8c4389756beb7c92bb5193b179b1fc1fca76f0aa7be7f8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e3fa64680b4daa2d15fd70f35a4d6916cc241641b57064dc1621c371eabb0d9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B219275A00648AFDB01DAA99D419AFB7FCEB4A301F554077FC00E3282D6B99E088769
                                                                                                                                                                                                            Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 00404E0D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitMessageProcess
                                                                                                                                                                                                            • String ID: Error$Runtime error at 00000000
                                                                                                                                                                                                            • API String ID: 1220098344-2970929446
                                                                                                                                                                                                            • Opcode ID: 6146da9580bef9965da9cda28fdf8b1f09917d9546c5f1af2fde060953d626be
                                                                                                                                                                                                            • Instruction ID: c00c8b1b907268fe45c84c5108a6570d36dd98a08fca56cdb76ff5d345661702
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6146da9580bef9965da9cda28fdf8b1f09917d9546c5f1af2fde060953d626be
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F21D360E452418ADB10AB75ED8171A3B8097F930CF04817BE700B73E2C67CD84687AE
                                                                                                                                                                                                            Function 00450390 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00450469,?,?,?,?,00000000,00000000), ref: 004503F8
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,00450469,?,?,?,?,00000000,00000000), ref: 0045043E
                                                                                                                                                                                                              • Part of subcall function 00450360: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00450378
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: LibraryLoad$DirectorySystem
                                                                                                                                                                                                            • String ID: RICHED20.DLL$RICHED32.DLL
                                                                                                                                                                                                            • API String ID: 2630572097-740611112
                                                                                                                                                                                                            • Opcode ID: 9fcc27b6184eb67fa55648afaa4eab07c2ec715cb05f6099bae96d6f0231ec87
                                                                                                                                                                                                            • Instruction ID: 45d93e0d121fe09c7a50066aca23a685df4873c559958f5edeb39e7b45036801
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9fcc27b6184eb67fa55648afaa4eab07c2ec715cb05f6099bae96d6f0231ec87
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB216374900108EFDB10FF61E846B5D77F8EB55319F50447BE500A6162D7785A49CF5C
                                                                                                                                                                                                            Function 0042F188 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042F201
                                                                                                                                                                                                              • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                                              • Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
                                                                                                                                                                                                              • Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042F1E4
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
                                                                                                                                                                                                            • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                            • API String ID: 395431579-1506664499
                                                                                                                                                                                                            • Opcode ID: ef2fe5795da2c79bebcfc8bc045bc88b8cffcc678c25b10b165038ef52182f9f
                                                                                                                                                                                                            • Instruction ID: f8fd25663858203a515409cfb2833324ac242db414aae85ffba9c986139a78a3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef2fe5795da2c79bebcfc8bc045bc88b8cffcc678c25b10b165038ef52182f9f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9701D274B00718EBE711DB65EC42B5E7BFCDB99704FE000B7B404A2291DAB99E48C62C
                                                                                                                                                                                                            Function 004561AC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,00456217,?,00000001,00000000), ref: 0045620A
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 004561B8
                                                                                                                                                                                                            • PendingFileRenameOperations2, xrefs: 004561EB
                                                                                                                                                                                                            • PendingFileRenameOperations, xrefs: 004561DC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseOpen
                                                                                                                                                                                                            • String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
                                                                                                                                                                                                            • API String ID: 47109696-2115312317
                                                                                                                                                                                                            • Opcode ID: ff58e6e514d7c1611efeb73a4d2cf6eb9d9af067b9b8efd5cae166e7ece2cc9c
                                                                                                                                                                                                            • Instruction ID: 13f9a8dc2762523c9d5034016e8e0e4cf56d15ba7b570f5b98feacd54ef34b89
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff58e6e514d7c1611efeb73a4d2cf6eb9d9af067b9b8efd5cae166e7ece2cc9c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2F06271348204ABD714E6E69C13B5B739CD784B15FE284A6F80487982EA79AD14962C
                                                                                                                                                                                                            Function 0046FC5C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,VtG,?,0049E1E4,?,0046FF73,?,00000000,00470532,?,_is1), ref: 0046FC7F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                            • String ID: Inno Setup: Setup Version$VtG$I
                                                                                                                                                                                                            • API String ID: 3702945584-29442299
                                                                                                                                                                                                            • Opcode ID: 220c20457a03c4fc65b096bd6025ac965394d29a13c1efd5e5d1aadad6d68a6c
                                                                                                                                                                                                            • Instruction ID: 298cf4f1533d54ab550fd3d15e19e6a926ba71f9f01c0afe6301adb1283b93e4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 220c20457a03c4fc65b096bd6025ac965394d29a13c1efd5e5d1aadad6d68a6c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7E06D713013043BD710AA2BAC85F5BAADCDF987A5F00403AB948DB392D578ED0542A8
                                                                                                                                                                                                            Function 00481008 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,00481201), ref: 004810AE
                                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,00481201), ref: 004810BB
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004811D4,?,?,?,?,00000000,00481201), ref: 004811B0
                                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,004811DB,004811D4,?,?,?,?,00000000,00481201), ref: 004811CE
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Find$CloseFileNext
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2066263336-0
                                                                                                                                                                                                            • Opcode ID: 63da60fc703e6e8aa7dcaf1f4a84ca4d1db4635fe8be35313377f08196bdfc45
                                                                                                                                                                                                            • Instruction ID: 32ce0b593b226a8a495a7b16ec3f8c392e3281c2b0d16565a73bd1b48714ff7d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 63da60fc703e6e8aa7dcaf1f4a84ca4d1db4635fe8be35313377f08196bdfc45
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95515E75A006489FCB10EF65CC45ADEB7BCEB89315F1045ABA808E7351D6389F86CF58
                                                                                                                                                                                                            Function 004216C4 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetMenu.USER32(00000000), ref: 004217B1
                                                                                                                                                                                                            • SetMenu.USER32(00000000,00000000), ref: 004217CE
                                                                                                                                                                                                            • SetMenu.USER32(00000000,00000000), ref: 00421803
                                                                                                                                                                                                            • SetMenu.USER32(00000000,00000000), ref: 0042181F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Menu
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3711407533-0
                                                                                                                                                                                                            • Opcode ID: a1d2f4484655de1d3fd0847b2328f430e3f40ab88dcc203f2c43afec94015a70
                                                                                                                                                                                                            • Instruction ID: 73b485f7b17ee0b128820b03b0310e3fef403fa1ec291b42cca88d6787b8c394
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a1d2f4484655de1d3fd0847b2328f430e3f40ab88dcc203f2c43afec94015a70
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 44419E3070426407DB21BF3AA98579B66D55FA0308F4811BFE8458F3A3CA7CCC4A82AD
                                                                                                                                                                                                            Function 00416F92 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 00416FD4
                                                                                                                                                                                                            • SetTextColor.GDI32(?,00000000), ref: 00416FEE
                                                                                                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 00417008
                                                                                                                                                                                                            • CallWindowProcA.USER32(?,?,?,?,?), ref: 00417030
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Color$CallMessageProcSendTextWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 601730667-0
                                                                                                                                                                                                            • Opcode ID: 49ac1906ee10618a7b6cf5a31eb6510ea09555bfd14ee65fb3a8138f39cbfa7e
                                                                                                                                                                                                            • Instruction ID: 97657bf4431c68cea31458eff6611b8cbcc4ca9acdd3171e17da9912607f4e93
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 49ac1906ee10618a7b6cf5a31eb6510ea09555bfd14ee65fb3a8138f39cbfa7e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE114CB1604600AFD710EE6ECD84E87B7ECDF48310B14882AB55ADB612C62CE8818B69
                                                                                                                                                                                                            Function 00423ED4 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnumWindows.USER32(00423E6C), ref: 00423EF8
                                                                                                                                                                                                            • GetWindow.USER32(?,00000003), ref: 00423F0D
                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 00423F1C
                                                                                                                                                                                                            • SetWindowPos.USER32(00000000,004245AC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004245FB,?,?,004241C3), ref: 00423F52
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$EnumLongWindows
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4191631535-0
                                                                                                                                                                                                            • Opcode ID: da7c6a1f1adb1243b5fa3636d4e877867cfe7b0e5d1887425f7f41af5dac74a2
                                                                                                                                                                                                            • Instruction ID: 800f3c7d6b650a9444741cf3b456662361ea129bec99247a5177c247b1bc03b7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: da7c6a1f1adb1243b5fa3636d4e877867cfe7b0e5d1887425f7f41af5dac74a2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B117071B04610ABDB109F28ED85F5673F4EB08715F12026AF9649B2E2C37CDD40CB58
                                                                                                                                                                                                            Function 00423518 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetDC.USER32 ref: 0042356E
                                                                                                                                                                                                            • EnumFontsA.GDI32(00000000,00000000,004234B8,004108B0,00000000,?,?,00000000,?,00419423,00000000,?,?,?,00000001), ref: 00423581
                                                                                                                                                                                                            • GetDeviceCaps.GDI32 ref: 00423589
                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00423594
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CapsDeviceEnumFontsRelease
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2698912916-0
                                                                                                                                                                                                            • Opcode ID: bb643e78eddffdc26f40f16d9b8672dcc85dc1c54bcbb46a45d6df83db9bb269
                                                                                                                                                                                                            • Instruction ID: 3e91f746c00fb2f600ae5fc17e333cd129bb14a9c5a67b8d5949c9a763c02f3d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bb643e78eddffdc26f40f16d9b8672dcc85dc1c54bcbb46a45d6df83db9bb269
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C019EB17457102AE710BF6A5C82B9B37A49F0531DF40427FF908AB3C2DA7E990547AE
                                                                                                                                                                                                            Function 004556E4 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • WaitForInputIdle.USER32 ref: 00455710
                                                                                                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF,?,?,?,00000000,?,?,00455943,?,?,?,00000044), ref: 00455732
                                                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00455741
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,0045576E,00455767,?,?,?,00000000,?,?,00455943,?,?,?,00000044,00000000,00000000), ref: 00455761
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4071923889-0
                                                                                                                                                                                                            • Opcode ID: 0e2e22314dae304e5bf22728ddaa36dde328adca970e968fdbe7b68800f3fe31
                                                                                                                                                                                                            • Instruction ID: d914ecb4f604d225e93de076450c6742835d04a0b91abb11bcb899d5d614385b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0e2e22314dae304e5bf22728ddaa36dde328adca970e968fdbe7b68800f3fe31
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6101B570A40A09FEEB20A7A58D16F7F7BADDB49760F610167F904D32C2C6789D00CA68
                                                                                                                                                                                                            Function 004019CC Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlInitializeCriticalSection.KERNEL32 ref: 004019E2
                                                                                                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0049D420), ref: 004019F5
                                                                                                                                                                                                            • LocalAlloc.KERNEL32(00000000,00000FF8,0049D420,00000000,00401A82,?,?,0040222E,02364000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                                            • RtlLeaveCriticalSection.KERNEL32 ref: 00401A7C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$AllocEnterInitializeLeaveLocal
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 730355536-0
                                                                                                                                                                                                            • Opcode ID: 6924fe21b1383dcef356c9aa5819c214f6a77f33e1d4e548cd75cfb9fc70e511
                                                                                                                                                                                                            • Instruction ID: 7339f3ebbe1eed2a5a633cb922c09bf0bd68a71b88021a6e55e3f3fb74b7268e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6924fe21b1383dcef356c9aa5819c214f6a77f33e1d4e548cd75cfb9fc70e511
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AB01CCB0E482405EFB19AF699902B293FD4D799748F51803BF441A7AF1CA7C6840CB2E
                                                                                                                                                                                                            Function 0047E054 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast$CountSleepTick
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2227064392-0
                                                                                                                                                                                                            • Opcode ID: 22ddb9d6ab121fa8b7aad317e9abd2d9173961abc661a66fb327fe759d7b9ec5
                                                                                                                                                                                                            • Instruction ID: 9be5390d37519caeffefa09d8943b7800c28e667e42796fceef54f4227176e6c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 22ddb9d6ab121fa8b7aad317e9abd2d9173961abc661a66fb327fe759d7b9ec5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28E0E5213092A855C63035BB58C26AF45C9DA89768B244ABFE088D6283C89C4C05652E
                                                                                                                                                                                                            Function 0045CA60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00451070: SetEndOfFile.KERNEL32(?,?,0045CB3E,00000000,0045CCC9,?,00000000,00000002,00000002), ref: 00451077
                                                                                                                                                                                                            • FlushFileBuffers.KERNEL32(?), ref: 0045CC95
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • NumRecs range exceeded, xrefs: 0045CB92
                                                                                                                                                                                                            • EndOffset range exceeded, xrefs: 0045CBC9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$BuffersFlush
                                                                                                                                                                                                            • String ID: EndOffset range exceeded$NumRecs range exceeded
                                                                                                                                                                                                            • API String ID: 3593489403-659731555
                                                                                                                                                                                                            • Opcode ID: 2260f6877304dea45ba359fb37d430195bc0a3511ff8112a2360352fa9564334
                                                                                                                                                                                                            • Instruction ID: 609741d3f79eabe780872f94ce4b5bf90fe53003262008b9b2f446b63576a9fa
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2260f6877304dea45ba359fb37d430195bc0a3511ff8112a2360352fa9564334
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6E615234A002588FDB25DF25D881BDAB7B5EF49305F0084DAED899B352D6B4AEC8CF54
                                                                                                                                                                                                            Function 00484978 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetForegroundWindow.USER32(00000000,00484B02,?,00000000,00484B43,?,?,?,?,00000000,00000000,00000000,?,0046CA59), ref: 004849B1
                                                                                                                                                                                                            • SetActiveWindow.USER32(?,00000000,00484B02,?,00000000,00484B43,?,?,?,?,00000000,00000000,00000000,?,0046CA59), ref: 004849C3
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Will not restart Windows automatically., xrefs: 00484AE2
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$ActiveForeground
                                                                                                                                                                                                            • String ID: Will not restart Windows automatically.
                                                                                                                                                                                                            • API String ID: 307657957-4169339592
                                                                                                                                                                                                            • Opcode ID: 611cf57aec86bfea3a2af854023c09e37a5beb60966471ff9b2a299e19d7bf06
                                                                                                                                                                                                            • Instruction ID: e3ffbfa0a86cb08642d5b37a1a1eca219a4b332c0ee086946791bcc458de558f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 611cf57aec86bfea3a2af854023c09e37a5beb60966471ff9b2a299e19d7bf06
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64415930644245EFD714FFA6EC05B6E7BE4D795308F1948B7E8405B392E2BC9800971E
                                                                                                                                                                                                            Function 0049A490 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049A49E), ref: 0040334B
                                                                                                                                                                                                              • Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049A49E), ref: 00403356
                                                                                                                                                                                                              • Part of subcall function 004063F4: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 0040640F
                                                                                                                                                                                                              • Part of subcall function 004063F4: GetVersion.KERNEL32(kernel32.dll,00000000,0040668E,?,?,?,?,00000000,?,0049A4A8), ref: 00406416
                                                                                                                                                                                                              • Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0040642B
                                                                                                                                                                                                              • Part of subcall function 004063F4: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406453
                                                                                                                                                                                                              • Part of subcall function 00406814: 6F551CD0.COMCTL32(0049A4AD), ref: 00406814
                                                                                                                                                                                                              • Part of subcall function 00410BB4: GetCurrentThreadId.KERNEL32 ref: 00410C02
                                                                                                                                                                                                              • Part of subcall function 00419490: GetVersion.KERNEL32(0049A4C6), ref: 00419490
                                                                                                                                                                                                              • Part of subcall function 0044FD1C: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049A4DA), ref: 0044FD57
                                                                                                                                                                                                              • Part of subcall function 0044FD1C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FD5D
                                                                                                                                                                                                              • Part of subcall function 004501E8: GetVersionExA.KERNEL32(0049D794,0049A4DF), ref: 004501F7
                                                                                                                                                                                                              • Part of subcall function 00453934: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453956
                                                                                                                                                                                                              • Part of subcall function 00453934: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045395C
                                                                                                                                                                                                              • Part of subcall function 00453934: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004539F2,?,?,?,?,00000000,00000000,?,0049A4EE), ref: 00453970
                                                                                                                                                                                                              • Part of subcall function 00453934: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00453976
                                                                                                                                                                                                              • Part of subcall function 00457850: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004578AA
                                                                                                                                                                                                              • Part of subcall function 00465214: LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,0046528A,?,?,?,?,00000000,00000000,?,0049A502), ref: 0046525F
                                                                                                                                                                                                              • Part of subcall function 00465214: GetProcAddress.KERNEL32(00000000,00000000), ref: 00465265
                                                                                                                                                                                                              • Part of subcall function 0046DAB0: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046DAFB
                                                                                                                                                                                                              • Part of subcall function 00479E68: GetModuleHandleA.KERNEL32(kernel32.dll,?,0049A50C), ref: 00479E6E
                                                                                                                                                                                                              • Part of subcall function 00479E68: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00479E7B
                                                                                                                                                                                                              • Part of subcall function 00479E68: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00479E8B
                                                                                                                                                                                                              • Part of subcall function 00485374: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00485485
                                                                                                                                                                                                              • Part of subcall function 0049749C: RegisterClipboardFormatA.USER32 ref: 004974B5
                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,0049A554), ref: 0049A526
                                                                                                                                                                                                              • Part of subcall function 0049A250: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049A530,00000001,00000000,0049A554), ref: 0049A25A
                                                                                                                                                                                                              • Part of subcall function 0049A250: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049A260
                                                                                                                                                                                                              • Part of subcall function 00424924: SendMessageA.USER32 ref: 00424943
                                                                                                                                                                                                              • Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C
                                                                                                                                                                                                            • ShowWindow.USER32(?,00000005,00000000,0049A554), ref: 0049A587
                                                                                                                                                                                                              • Part of subcall function 004839B4: SetActiveWindow.USER32(?), ref: 00483A62
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$HandleModule$VersionWindow$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModeRegisterSendShowTextThread
                                                                                                                                                                                                            • String ID: Setup
                                                                                                                                                                                                            • API String ID: 2300352135-3839654196
                                                                                                                                                                                                            • Opcode ID: cdfde2e51fe0698aa6b85e30c0a1c237bbea7d7fd99d79f8e074734ecee56c62
                                                                                                                                                                                                            • Instruction ID: 2627a5300f3eb19f067de96b875d46ae0be93d5911e26a22e66c9acfb87dca20
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cdfde2e51fe0698aa6b85e30c0a1c237bbea7d7fd99d79f8e074734ecee56c62
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA31B3712046409EDB01BBB7AC1391D3BA8EB8971CB62487FF90486563DE3D5C24867F
                                                                                                                                                                                                            Function 0045418C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0045427B,?,?,00000000,0049D62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004541D2
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,0045427B,?,?,00000000,0049D62C,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004541DB
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                            • String ID: .tmp
                                                                                                                                                                                                            • API String ID: 1375471231-2986845003
                                                                                                                                                                                                            • Opcode ID: 6f4460bb771477b2532cc418dcf8c2749320d1c4241bb26b34006b525e4e1938
                                                                                                                                                                                                            • Instruction ID: f8da180511d522ff1cc3db6e91f047bd7ddaecfb92c8c1642a91e8309ff3a61b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f4460bb771477b2532cc418dcf8c2749320d1c4241bb26b34006b525e4e1938
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 19214E75A002189BDB01EFA1C8465DEB7BDEF44305F50457BF801B7382D67C5E458BA9
                                                                                                                                                                                                            Function 00485374 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00484E68: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00484E79
                                                                                                                                                                                                              • Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00484E86
                                                                                                                                                                                                              • Part of subcall function 00484E68: GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00484E94
                                                                                                                                                                                                              • Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00484E9C
                                                                                                                                                                                                              • Part of subcall function 00484E68: GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00484EA8
                                                                                                                                                                                                              • Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00484EC9
                                                                                                                                                                                                              • Part of subcall function 00484E68: GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00484EDC
                                                                                                                                                                                                              • Part of subcall function 00484E68: GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00484EE2
                                                                                                                                                                                                              • Part of subcall function 00485194: GetVersionExA.KERNEL32(?,004853AA,00000000,004854AA,?,?,?,?,00000000,00000000,?,0049A511), ref: 004851A2
                                                                                                                                                                                                              • Part of subcall function 00485194: GetVersionExA.KERNEL32(0000009C,?,004853AA,00000000,004854AA,?,?,?,?,00000000,00000000,?,0049A511), ref: 004851F4
                                                                                                                                                                                                              • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                                              • Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
                                                                                                                                                                                                              • Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00485485
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$HandleModuleSystemVersion$CurrentDirectoryErrorInfoLibraryLoadModeNativeProcess
                                                                                                                                                                                                            • String ID: SHGetKnownFolderPath$shell32.dll
                                                                                                                                                                                                            • API String ID: 1303913335-2936008475
                                                                                                                                                                                                            • Opcode ID: 8d9af6f5cb47815f3ef02b670df531d4aca205f4dd503ff5ab0741a2b0aad5e0
                                                                                                                                                                                                            • Instruction ID: 7070cd684f6103364e9f8a31a7d8965128adaac247882cc77746aeeddc076857
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8d9af6f5cb47815f3ef02b670df531d4aca205f4dd503ff5ab0741a2b0aad5e0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9215E70600200ABC711FFAF995674E37A4EB9570CB51993FF400AB2D1D77DA8059B6E
                                                                                                                                                                                                            Function 0042E1B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042E1C8
                                                                                                                                                                                                            • RegEnumValueA.ADVAPI32 ref: 0042E208
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Value$EnumQuery
                                                                                                                                                                                                            • String ID: Inno Setup: No Icons
                                                                                                                                                                                                            • API String ID: 1576479698-2016326496
                                                                                                                                                                                                            • Opcode ID: 5fa1588eb3983bc8147b11ac52db8119f930d32b550c0df0fd023eaaf2352da0
                                                                                                                                                                                                            • Instruction ID: e7333c3f072e055346127a6a42ec618886ffe365ff3054ef7f5207155727e60c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5fa1588eb3983bc8147b11ac52db8119f930d32b550c0df0fd023eaaf2352da0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3C01DB32745371A9F73145137D41B7B65CC8B42B60F64057BF941FA2C1DA68AC0592BE
                                                                                                                                                                                                            Function 0045304C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(00000000,00000000,004530A9,?,-00000001,?), ref: 00453083
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,004530A9,?,-00000001,?), ref: 0045308B
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                                                                                                            • String ID: @8H
                                                                                                                                                                                                            • API String ID: 2018770650-3762495883
                                                                                                                                                                                                            • Opcode ID: a1fb3666b45fe32249cf4b68f1752c0b17d8b18f48336da527a90bea16c05efb
                                                                                                                                                                                                            • Instruction ID: 483a50349848f844724b37c9089874c2f5155cc8dca7ffd3c90c1c5b4081c312
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a1fb3666b45fe32249cf4b68f1752c0b17d8b18f48336da527a90bea16c05efb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74F0C871A04708AFCB01DFB9AC4249EB7ECDB0975675045B7FC04E3282EB785F188599
                                                                                                                                                                                                            Function 00453554 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,00000000,004535B1,?,-00000001,00000000), ref: 0045358B
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,004535B1,?,-00000001,00000000), ref: 00453593
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DirectoryErrorLastRemove
                                                                                                                                                                                                            • String ID: @8H
                                                                                                                                                                                                            • API String ID: 377330604-3762495883
                                                                                                                                                                                                            • Opcode ID: ed9ee3e2dc24464d0c236720d007919d28e5762e289691b171a35ab4808c6178
                                                                                                                                                                                                            • Instruction ID: 7fd71ab76445d730fbf8dcc8275d2678ef65a3f2b88ec35f2c7a4b5c8e56db9b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ed9ee3e2dc24464d0c236720d007919d28e5762e289691b171a35ab4808c6178
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2F0C271A04608BBCB01EFB9AC4249EB7E8EB0975675049BBFC04E3242F7785F088598
                                                                                                                                                                                                            Function 00457850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 004577E0: CoInitialize.OLE32(00000000), ref: 004577E6
                                                                                                                                                                                                              • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                                              • Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
                                                                                                                                                                                                              • Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004578AA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressDirectoryErrorInitializeLibraryLoadModeProcSystem
                                                                                                                                                                                                            • String ID: SHCreateItemFromParsingName$shell32.dll
                                                                                                                                                                                                            • API String ID: 1013667774-2320870614
                                                                                                                                                                                                            • Opcode ID: f768b6972bd4a9b7486ce10d9acfcd5e81d127b13faf4c2cc7ed9affc27adf63
                                                                                                                                                                                                            • Instruction ID: 9566a5db5de29e1f96e1247fa15de811f0c6c8f84fbefe9709ba2c3b4718617c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f768b6972bd4a9b7486ce10d9acfcd5e81d127b13faf4c2cc7ed9affc27adf63
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4DF03670604608BBE701FBA6E842F5D7BACDB45759F604477B800A6592D67CAE04C92D
                                                                                                                                                                                                            Function 0046DAB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                                              • Part of subcall function 0042E7E4: SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
                                                                                                                                                                                                              • Part of subcall function 0042E7E4: LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046DAFB
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressDirectoryErrorLibraryLoadModeProcSystem
                                                                                                                                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                                                                                                                            • API String ID: 2552568031-2683653824
                                                                                                                                                                                                            • Opcode ID: d5f4c7af768d16b3b5c6a86f87ef45a876fa3cc5c322967070caf22bd86c78e1
                                                                                                                                                                                                            • Instruction ID: 91b75a77547c13e1772f921c750cf7bd45708da1ec0dc58a0f4cb33c0377533c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d5f4c7af768d16b3b5c6a86f87ef45a876fa3cc5c322967070caf22bd86c78e1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5F04430B04608BBD700EF52DC52F5DBBACEB45B14FA14076B40067595E678AE048A2D
                                                                                                                                                                                                            Function 0047D8E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047DC36,00000000,0047DC4C), ref: 0047D946
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Close
                                                                                                                                                                                                            • String ID: RegisteredOrganization$RegisteredOwner
                                                                                                                                                                                                            • API String ID: 3535843008-1113070880
                                                                                                                                                                                                            • Opcode ID: 7cf81886a3be2ea0676bdb419752ec839da85decb879fef784735e22499dae0c
                                                                                                                                                                                                            • Instruction ID: 03cfcff152a519ea80d4f5543ba1c5a79f91faf414c5488bd5ec988fdc31f9f9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7cf81886a3be2ea0676bdb419752ec839da85decb879fef784735e22499dae0c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6F0BBB0B042449BDB04D667AC93BDB37B9CB41308F24847BA2459B392D67C9D00D75D
                                                                                                                                                                                                            Function 004763E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047661B), ref: 00476409
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,0047661B), ref: 00476420
                                                                                                                                                                                                              • Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateErrorFileHandleLast
                                                                                                                                                                                                            • String ID: CreateFile
                                                                                                                                                                                                            • API String ID: 2528220319-823142352
                                                                                                                                                                                                            • Opcode ID: dfe37b7c2a5045629fd8e0b2a77d405f8cad1a2ae405d18a87ba2f0597c9e29b
                                                                                                                                                                                                            • Instruction ID: 7bcc5fcb2fff494360280e2963ad1350d0a4ff74aab44489db68ce07f01780cc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dfe37b7c2a5045629fd8e0b2a77d405f8cad1a2ae405d18a87ba2f0597c9e29b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CDE06D302403447BEA20EB69DCC6F4A77D89B04738F108161FA48AF3E2C6B9EC408A5C
                                                                                                                                                                                                            Function 0046FCCC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0047034A,?,?,00000000,00470532,?,_is1,?), ref: 0046FCDF
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Value
                                                                                                                                                                                                            • String ID: NoModify$I
                                                                                                                                                                                                            • API String ID: 3702945584-1047506205
                                                                                                                                                                                                            • Opcode ID: 723ef71d5639e3177528866127dac4334c6cdde24b768028f54f947eaa08958f
                                                                                                                                                                                                            • Instruction ID: 74656710be1799963dacf24c43606be2f52e229709c8467fcc2139d849b5a3c3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 723ef71d5639e3177528866127dac4334c6cdde24b768028f54f947eaa08958f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1AE04FB0640308BFEB04DB55DD4AF6BB7ACDB48750F104059BA44DB381EA74FE008658
                                                                                                                                                                                                            Function 00483068 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemMenu.USER32(00000000,00000000,00000000,004831A0), ref: 00483138
                                                                                                                                                                                                            • AppendMenuA.USER32 ref: 00483149
                                                                                                                                                                                                            • AppendMenuA.USER32 ref: 00483161
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Menu$Append$System
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1489644407-0
                                                                                                                                                                                                            • Opcode ID: b1581a0f06f3993262020228058a878573e1761b052ad4db3e08fed4fbd829c7
                                                                                                                                                                                                            • Instruction ID: 62bbcf7b8eda1c1d1fe504de26200215c04982407344b62899e0b3f82f18d8db
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b1581a0f06f3993262020228058a878573e1761b052ad4db3e08fed4fbd829c7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6431B0707083445AD710FF368C86B9E7A945B55B08F44593FB9009B3E3CA7D9E09876D
                                                                                                                                                                                                            Function 0044B82C Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ObjectReleaseSelect
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1831053106-0
                                                                                                                                                                                                            • Opcode ID: aebefea9080a2ffce71cc44d900bb6067fbd40711943de4e6aa6f899a124bbe5
                                                                                                                                                                                                            • Instruction ID: 488fbe92d3dbd6553530e1f28a7071e145c326c324a604cd7e83169de99d3e99
                                                                                                                                                                                                            • Opcode Fuzzy Hash: aebefea9080a2ffce71cc44d900bb6067fbd40711943de4e6aa6f899a124bbe5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B321A470E043086FEB05EFA5C841B9EBBB8EB48304F0184BAF504A6292D73CD940CB58
                                                                                                                                                                                                            Function 0044B560 Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044B5EC,?,004839CF,?,?), ref: 0044B5BE
                                                                                                                                                                                                            • DrawTextW.USER32 ref: 0044B5D1
                                                                                                                                                                                                            • DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044B605
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DrawText$ByteCharMultiWide
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 65125430-0
                                                                                                                                                                                                            • Opcode ID: 220ba5cac8d50b27136c7947ff428b4d5b30f8bb344e0136b885afe7086c5f85
                                                                                                                                                                                                            • Instruction ID: c4c5e2dbcf53f363daa0ac06871d419456bbfc1076f0fbe0a6f7c1d9791685bd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 220ba5cac8d50b27136c7947ff428b4d5b30f8bb344e0136b885afe7086c5f85
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1011CBB27045047FE711DB5A9C81D6FB7ECEB89714F10417BF514D72D0D6389E018669
                                                                                                                                                                                                            Function 0042484C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424862
                                                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 004248DF
                                                                                                                                                                                                            • DispatchMessageA.USER32(?), ref: 004248E9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Message$DispatchPeekTranslate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4217535847-0
                                                                                                                                                                                                            • Opcode ID: 1d5f45652bc976909b78a8fda5e55899e4ac3f100e933d79a059951e0026f3ac
                                                                                                                                                                                                            • Instruction ID: c7af1bd1b10d32b98fa997e15213bd70182e4a6faef26a56c53dd2d0e562e7a0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1d5f45652bc976909b78a8fda5e55899e4ac3f100e933d79a059951e0026f3ac
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7111C4343143905AEA20F664A94179B73D4DFD1B04F81481FF8D947382D3BD9D49876B
                                                                                                                                                                                                            Function 00470B6C Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000), ref: 00470BC6
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Setting permissions on directory: %s, xrefs: 00470B8C
                                                                                                                                                                                                            • Failed to set permissions on directory (%d)., xrefs: 00470BD7
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                            • String ID: Failed to set permissions on directory (%d).$Setting permissions on directory: %s
                                                                                                                                                                                                            • API String ID: 1452528299-3781482204
                                                                                                                                                                                                            • Opcode ID: bb3ebb20d34bd3feb010505e942ac3353de8da3b20606f8c2e5495aa89b54d69
                                                                                                                                                                                                            • Instruction ID: 32490694418421bb1a17b28030c0e0f623746775d98a4406e0272f03b74d8531
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bb3ebb20d34bd3feb010505e942ac3353de8da3b20606f8c2e5495aa89b54d69
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F6016730E041449BCB04D7BE94826DDB7E89F4D318F5086BFB418E7392DA795E05879D
                                                                                                                                                                                                            Function 00416A94 Relevance: 4.5, APIs: 3, Instructions: 39COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetPropA.USER32(00000000,00000000), ref: 00416ABA
                                                                                                                                                                                                            • SetPropA.USER32(00000000,00000000), ref: 00416ACF
                                                                                                                                                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 00416AF6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Prop$Window
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3363284559-0
                                                                                                                                                                                                            • Opcode ID: 120d831fd0e7c0f5eedd88e24305ab6ef8b5e2b9243d669fe5121d0f27645725
                                                                                                                                                                                                            • Instruction ID: ba7ff3a79511e9fd345c6eb2e7309737472e1a66b8435aad7f351e84ed883601
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 120d831fd0e7c0f5eedd88e24305ab6ef8b5e2b9243d669fe5121d0f27645725
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24F0B271701210ABD710AB698C85FA636ECAF0D755F16417ABA05EF286C679DC4087A8
                                                                                                                                                                                                            Function 0041F2A4 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • IsWindowVisible.USER32 ref: 0041F2B4
                                                                                                                                                                                                            • IsWindowEnabled.USER32 ref: 0041F2BE
                                                                                                                                                                                                            • EnableWindow.USER32(?,00000000,?,?), ref: 0041F2E4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$EnableEnabledVisible
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3234591441-0
                                                                                                                                                                                                            • Opcode ID: f8c63cb9eb03fe3057432f7fc847cbb230a844cb3caf0d06e376941515be7c19
                                                                                                                                                                                                            • Instruction ID: f88b3158499dd9289c75302ad3040ea965d59b676cda83e5cbf87f6be83bac28
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f8c63cb9eb03fe3057432f7fc847cbb230a844cb3caf0d06e376941515be7c19
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56E06D74200200ABE310AB26ED81A56779CEB10314F118437A849AB293D63AD8458ABC
                                                                                                                                                                                                            Function 0046ABA0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetActiveWindow.USER32(?), ref: 0046ACB1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ActiveWindow
                                                                                                                                                                                                            • String ID: PrepareToInstall
                                                                                                                                                                                                            • API String ID: 2558294473-1101760603
                                                                                                                                                                                                            • Opcode ID: 93c2ced9901b78990d4c7008f4db33b899a7a6d11fefccccc113996b0ad24cf6
                                                                                                                                                                                                            • Instruction ID: fdee18710babf5e336c1910aeb408bf0e6a903f892d838ad66a8bf575b9628a0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 93c2ced9901b78990d4c7008f4db33b899a7a6d11fefccccc113996b0ad24cf6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90A10C74A00109DFCB00EF99D886E9EB7F5AF48304F5540B6E404AB366D738AE45DB5A
                                                                                                                                                                                                            Function 0046D17C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 209COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: /:*?"<>|
                                                                                                                                                                                                            • API String ID: 0-4078764451
                                                                                                                                                                                                            • Opcode ID: ceb3f76dddb8c4f3c05b9d1c15b0c50ece1c75124130fc1418fa8c0e44e40a18
                                                                                                                                                                                                            • Instruction ID: f677315d7a897bddb44220e636167c4a4d5a92338f94b0a6c85659efeb8beb4e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ceb3f76dddb8c4f3c05b9d1c15b0c50ece1c75124130fc1418fa8c0e44e40a18
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95719770F04208ABDB10EB66DC92F9E77A15B41308F1480A7F900BB392E6B99D45875F
                                                                                                                                                                                                            Function 004839B4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetActiveWindow.USER32(?), ref: 00483A62
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ActiveWindow
                                                                                                                                                                                                            • String ID: InitializeWizard
                                                                                                                                                                                                            • API String ID: 2558294473-2356795471
                                                                                                                                                                                                            • Opcode ID: 8c31a081f099e9809beeea3f27c08756d23f8c24eaac549991aa8419c0c9ea60
                                                                                                                                                                                                            • Instruction ID: 9a8fbe648e99d25b3c1ebd2b051959da3f81131ff902f8f70686133b91dd172c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c31a081f099e9809beeea3f27c08756d23f8c24eaac549991aa8419c0c9ea60
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD119170608104DFD704EF2AFC85B597BE8E714718F22847BE544872A2EBB96D00DB6D
                                                                                                                                                                                                            Function 0047E0A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Failed to remove temporary directory: , xrefs: 0047E10B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountTick
                                                                                                                                                                                                            • String ID: Failed to remove temporary directory:
                                                                                                                                                                                                            • API String ID: 536389180-3544197614
                                                                                                                                                                                                            • Opcode ID: 9feb2f6085af5a8b024ba5244f206146ce975ac7a9d5adcf9a00534459b24a1c
                                                                                                                                                                                                            • Instruction ID: ac5e1a37918f7d070e72ace47ef54387b1d6805ebc6ff4ed15476670fa48ed12
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9feb2f6085af5a8b024ba5244f206146ce975ac7a9d5adcf9a00534459b24a1c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A017930604204AADB11EB73DC47FDA3798DB49709F6089BBB504B62E2DBBC9D04D55C
                                                                                                                                                                                                            Function 0047D800 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047DA4C,00000000,0047DC4C), ref: 0047D845
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 0047D815
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseOpen
                                                                                                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                                            • API String ID: 47109696-1019749484
                                                                                                                                                                                                            • Opcode ID: ec998cb2005931f9a5bd83814b3b68d5548767ad80e13f0d82a29780648ed5d1
                                                                                                                                                                                                            • Instruction ID: 9e1ac37bc360ea69ca44dde089ba04ba4b826bb97de6a423fadd5e819c649f8f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ec998cb2005931f9a5bd83814b3b68d5548767ad80e13f0d82a29780648ed5d1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09F08231B04114A7DB00B69A9C42BAEA7AC8F84758F20807BF519EB242D9B99E0143AD
                                                                                                                                                                                                            Function 0042E26C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • System\CurrentControlSet\Control\Windows, xrefs: 0042E286
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Open
                                                                                                                                                                                                            • String ID: System\CurrentControlSet\Control\Windows
                                                                                                                                                                                                            • API String ID: 71445658-1109719901
                                                                                                                                                                                                            • Opcode ID: ba599b357b8d4751e1ab922ebb55064d8a8854d38c942fc45e646e4ab9ecaa7b
                                                                                                                                                                                                            • Instruction ID: 65e6a506820a5022674633d18044d67bbd02e357da0c4a821f6ebd0b5300d4b8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ba599b357b8d4751e1ab922ebb55064d8a8854d38c942fc45e646e4ab9ecaa7b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7D09272910228BBAB009A89DC41DFB77ADDB1A760F80806AF91897241D2B4AC519BF4
                                                                                                                                                                                                            Function 0047F778 Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetACP.KERNEL32(?,?,00000001,00000000,0047FA57,?,-0000001A,00481956,-00000010,?,00000004,0000001C,00000000,00481CA3,?,0045E364), ref: 0047F7EE
                                                                                                                                                                                                              • Part of subcall function 0042E76C: GetDC.USER32 ref: 0042E77B
                                                                                                                                                                                                              • Part of subcall function 0042E76C: EnumFontsA.GDI32(?,00000000,0042E758,00000000,00000000,0042E7C4,?,00000000,00000000,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0042E7A6
                                                                                                                                                                                                              • Part of subcall function 0042E76C: ReleaseDC.USER32(00000000,?), ref: 0042E7BE
                                                                                                                                                                                                            • SendNotifyMessageA.USER32(000104F4,00000496,00002711,-00000001), ref: 0047F9BE
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumFontsMessageNotifyReleaseSend
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2649214853-0
                                                                                                                                                                                                            • Opcode ID: f63ddfb2871cf1e66e6cb65ad1930d9627398cbe91e727e5a4f1e93d11453290
                                                                                                                                                                                                            • Instruction ID: 2351f95844d6f0f86e4a4553bb1ee5652cba21286aa46acec5315b7e6dd2a420
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f63ddfb2871cf1e66e6cb65ad1930d9627398cbe91e727e5a4f1e93d11453290
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 865196B46001009BD710FF26D98179A37A9EB54309B50C53BA4099F3A7CB3CED4ACB9E
                                                                                                                                                                                                            Function 00402088 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0049D420), ref: 004020CB
                                                                                                                                                                                                              • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32 ref: 004019E2
                                                                                                                                                                                                              • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049D420), ref: 004019F5
                                                                                                                                                                                                              • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049D420,00000000,00401A82,?,?,0040222E,02364000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                                              • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32 ref: 00401A7C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 296031713-0
                                                                                                                                                                                                            • Opcode ID: d8e299963bb2c4fed4ff4e3414f532efba3796fb7efe986e1124fe849202073f
                                                                                                                                                                                                            • Instruction ID: 28de6049d60bc6243b4bd9e8b7e4b04bc6e7afcf6678d0e749794f980a6998b8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8e299963bb2c4fed4ff4e3414f532efba3796fb7efe986e1124fe849202073f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D41C4B2E003019FDB10CF69DE8521A77A4F7A9328F15417BD954A77E1D378A842CB48
                                                                                                                                                                                                            Function 0042E050 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042E188), ref: 0042E08C
                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042E188), ref: 0042E0FC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: QueryValue
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3660427363-0
                                                                                                                                                                                                            • Opcode ID: fb659fd4e3abd397cfb8b0300bb5eb5c22831bf077ba98013b241e0a6da047f3
                                                                                                                                                                                                            • Instruction ID: f9a1da9ca9b7937b0bb3d9b331acc3eaa2fb365deabda7ea02547e95fe34f262
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb659fd4e3abd397cfb8b0300bb5eb5c22831bf077ba98013b241e0a6da047f3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77415E71E00129ABDB11DF92D881BBFB7B9EB01704F944576E814F7281D778AE01CBA9
                                                                                                                                                                                                            Function 0042E310 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegEnumKeyExA.ADVAPI32 ref: 0042E3BC
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,0042E42D,?,00000000,00000000,00000000,00000000,00000000,0042E426,?,?,00000008,00000000,00000000,0042E453), ref: 0042E420
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseEnum
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2818636725-0
                                                                                                                                                                                                            • Opcode ID: 12af2234252c6635c6b1f59e1ede94e8800845c8a1cfa180ead54c6a4d49dc27
                                                                                                                                                                                                            • Instruction ID: a18f9d464683a8b418f1d9d9c182c699679c3713f239d59a614a00dbe2042668
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 12af2234252c6635c6b1f59e1ede94e8800845c8a1cfa180ead54c6a4d49dc27
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E318670B04254AFDB11EBA3EC52BBFBBB9EB45305F90447BE500B3291D6785E01CA29
                                                                                                                                                                                                            Function 00452F2C Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNEL32 ref: 00452F80
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,?,?,00458A74,00000000,00458A5C,?,?,?,00000000,00452FA6,?,?,?,00000001), ref: 00452F88
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateErrorLastProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2919029540-0
                                                                                                                                                                                                            • Opcode ID: 1398244007b20135f5cbcb84ec70d62da1e947103cbbdaeddf7845a69a56a8f1
                                                                                                                                                                                                            • Instruction ID: 1642ece03f316e66375c060ca7626bc18a341a32778e3b1f8c5ba0bc81bd916e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1398244007b20135f5cbcb84ec70d62da1e947103cbbdaeddf7845a69a56a8f1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7112772A04208AF8B40DEA9ED41D9FB7ECEB4E310B11456BBD08D3241D678AD159B68
                                                                                                                                                                                                            Function 0040B228 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindResourceA.KERNEL32(00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B39F,00000000,0040B3B7,?,?,?,00000000,?,0040B3F5), ref: 0040B242
                                                                                                                                                                                                            • FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B39F,00000000,0040B3B7,?,?,?,00000000), ref: 0040B253
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Resource$FindFree
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4097029671-0
                                                                                                                                                                                                            • Opcode ID: ccfb53ccaaecadb89aef38a6b87b21aaaa45f6b87b20848e9e6dd1c8ee0e0d8f
                                                                                                                                                                                                            • Instruction ID: 99f6b945ddddc3ffa7954b5b99b0f089effa67c77682540e1bcd22500dccd1d0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ccfb53ccaaecadb89aef38a6b87b21aaaa45f6b87b20848e9e6dd1c8ee0e0d8f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9101F7717043006FE700EF69DC52D1A77ADDB89718711807AF500EB2D0D63D9C0196AD
                                                                                                                                                                                                            Function 0041F2F4 Relevance: 3.0, APIs: 2, Instructions: 49threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Thread$CurrentEnumWindows
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2396873506-0
                                                                                                                                                                                                            • Opcode ID: 26a01034718a754fac2428515d88d868d648ddf0343dd67eaafc6563d075de98
                                                                                                                                                                                                            • Instruction ID: ded2603fe903b3ccb75c053802ed51acc4a1ef0e0cc57bb05547c7342bcbb188
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26a01034718a754fac2428515d88d868d648ddf0343dd67eaafc6563d075de98
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2016D74A04B08BFD301CF66ED1195ABBF8F749724B22C877E854D3AA0E73459119E58
                                                                                                                                                                                                            Function 004533C4 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00453406
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,0045342C), ref: 0045340E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFileLastMove
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 55378915-0
                                                                                                                                                                                                            • Opcode ID: 1548faf8a9677bd12e98f2e2d243f9d82652a592f520366f9bcd72908c48431c
                                                                                                                                                                                                            • Instruction ID: 0cc30b72992c59045a3cb8216ce3619e412531a307d766600c380e57d1775dbb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1548faf8a9677bd12e98f2e2d243f9d82652a592f520366f9bcd72908c48431c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6101D671B04204BB8701EFB9AC4249EB7ECDB49766760457BFC04E3242EA789F088558
                                                                                                                                                                                                            Function 00452EB4 Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00452F13), ref: 00452EED
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00452F13), ref: 00452EF5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1375471231-0
                                                                                                                                                                                                            • Opcode ID: 7cb2c570ac219d0ee22c88f96f5bf87a62d98c3fd0f6f1ca7cf3871b5df67843
                                                                                                                                                                                                            • Instruction ID: 89335b5e5455deb896f2d2efe83bb95299e3db0618b413de6719cdd134c6b725
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7cb2c570ac219d0ee22c88f96f5bf87a62d98c3fd0f6f1ca7cf3871b5df67843
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CEF02872A04304BBCB01EF75AD0259EB3E8DB0A321B5045BBFC04E3282E7B94E049698
                                                                                                                                                                                                            Function 00453224 Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00453283,?,?,00000000), ref: 0045325D
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00453283,?,?,00000000), ref: 00453265
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AttributesErrorFileLast
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1799206407-0
                                                                                                                                                                                                            • Opcode ID: 93a4445a77e87f832db48cc37b7d9a5725dfb79c3c3b600bc74ddeadc40bd50e
                                                                                                                                                                                                            • Instruction ID: 5db4c9d18fff2c699384bf48158aad256892f70ed416b0cdc9347702aa33957f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 93a4445a77e87f832db48cc37b7d9a5725dfb79c3c3b600bc74ddeadc40bd50e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5F0FC71A04B04ABCB10DFB9AD4249DB3A8DB49766B5046FBFC14E3682DB785F04859C
                                                                                                                                                                                                            Function 0042368C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • LoadCursorA.USER32(00000000,00007F00), ref: 00423699
                                                                                                                                                                                                            • LoadCursorA.USER32(00000000,00000000), ref: 004236C3
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CursorLoad
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3238433803-0
                                                                                                                                                                                                            • Opcode ID: f140cec9cfa9b30dc2305244e4258a11cf30c4d8c1b352010c949b8b0dda8ca8
                                                                                                                                                                                                            • Instruction ID: 05fd857f6409e6a60644ea24615d01c87e42662e453bf4d6e4e1dfbb00014e4e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f140cec9cfa9b30dc2305244e4258a11cf30c4d8c1b352010c949b8b0dda8ca8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2F0A7517002107ADA205E3E6CC0A2A72ADCBC1735B61437BFA2AE73D1C72D5D45556D
                                                                                                                                                                                                            Function 0042E7E4 Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 0042E7EE
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,0042E838,?,00000000,0042E856,?,00008000), ref: 0042E81D
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLibraryLoadMode
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2987862817-0
                                                                                                                                                                                                            • Opcode ID: 9b4fdb90dd8f6dfc429e23110810c204407b66d19ffb3595c1bc568b2ae7c347
                                                                                                                                                                                                            • Instruction ID: 76a16bdd6934cf9e499703eeb82aeaab1faf94a78ecb328ba4f7015bbedd62a6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b4fdb90dd8f6dfc429e23110810c204407b66d19ffb3595c1bc568b2ae7c347
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13F08270B14744BEDB116F779C6282BBBECE749B1079348B6F800A3A91E63C4C10C968
                                                                                                                                                                                                            Function 0047DB95 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SHGetKnownFolderPath.SHELL32(0049BD54,00008000,00000000,?), ref: 0047DBA5
                                                                                                                                                                                                            • CoTaskMemFree.OLE32(?,0047DBE8), ref: 0047DBDB
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FolderFreeKnownPathTask
                                                                                                                                                                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                                                                                                                                                                            • API String ID: 969438705-544719455
                                                                                                                                                                                                            • Opcode ID: 40c9fceec1849ef55c2d9e9b165fa2d81ca6f89bfe3325e062340eef34f4dc70
                                                                                                                                                                                                            • Instruction ID: 547cb950fcd41f41a68947569da9652c82defc7c7397c5e87919afd81bca1a0c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40c9fceec1849ef55c2d9e9b165fa2d81ca6f89bfe3325e062340eef34f4dc70
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5E06534714640BEEB119A619D12B5977B8EB85B04FB28476F50496690D678A9009A18
                                                                                                                                                                                                            Function 0045103C Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,00470FA5,?,00000000), ref: 00451052
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,?,00000002,?,?,00470FA5,?,00000000), ref: 0045105A
                                                                                                                                                                                                              • Part of subcall function 00450DF8: GetLastError.KERNEL32(00450C14,00450EBA,?,00000000,?,00499714,00000001,00000000,00000002,00000000,00499875,?,?,00000005,00000000,004998A9), ref: 00450DFB
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1156039329-0
                                                                                                                                                                                                            • Opcode ID: 57e3a47998fe8597b6042e5f5bf28c6be865df3206a1389c22972bb96d3862bd
                                                                                                                                                                                                            • Instruction ID: e16622de0e040581c0824a6ac5d1d77e375427595308dce999b5737054ed6bda
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 57e3a47998fe8597b6042e5f5bf28c6be865df3206a1389c22972bb96d3862bd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86E012B5344201ABE700FAB599C1F2B22DCDB44755F10846AF944DA187D674DC498B35
                                                                                                                                                                                                            Function 0040626C Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Global$AllocLock
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 15508794-0
                                                                                                                                                                                                            • Opcode ID: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                                                                                                                                                            • Instruction ID: 56019af84ea84d57b40f02c4528a45173e4f1cdf38a2be340d0d32551c2e1a06
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 38fdb687bb69d238822be17628ba02d3430ff360103c12c92fad93c094244837
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 699002C4C01A00A4DC0072B20C0BD3F101CD8C072C3D1486F7044B6483887C88000979
                                                                                                                                                                                                            Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
                                                                                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Virtual$AllocFree
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2087232378-0
                                                                                                                                                                                                            • Opcode ID: 7e62aa1badbe9b7bec7abb2084251aae76f03f49734707af951965b808a3b35c
                                                                                                                                                                                                            • Instruction ID: a6323659c4e3f22e280215c11bf30f87fcb27bed7f3312751ebcd43238c0638b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7e62aa1badbe9b7bec7abb2084251aae76f03f49734707af951965b808a3b35c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CCF08272A0063067EB60596A4C81B5359849BC5794F154076FD09FF3E9D6B58C0142A9
                                                                                                                                                                                                            Function 00408A2C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00408B62), ref: 00408A4B
                                                                                                                                                                                                              • Part of subcall function 0040723C: LoadStringA.USER32 ref: 00407259
                                                                                                                                                                                                              • Part of subcall function 004089B8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DefaultInfoLoadLocaleStringSystem
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1658689577-0
                                                                                                                                                                                                            • Opcode ID: bb57ecfbcf6c99401787c1e244de85808a7a992296f2a947b18206caa06ad51e
                                                                                                                                                                                                            • Instruction ID: 2280d21d464d6860fad4d2303e4b2489916fa30e512bd771d5ffef80d8a4ef38
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bb57ecfbcf6c99401787c1e244de85808a7a992296f2a947b18206caa06ad51e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F6315275E001099BCF00EF95C8819EEB779EF84314F51857BE815BB385E738AE058B99
                                                                                                                                                                                                            Function 0041FFEC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InfoScroll
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 629608716-0
                                                                                                                                                                                                            • Opcode ID: 3edf798da742a1a67383ead948891c4ca252191c32eeff7b634738f170ced4ea
                                                                                                                                                                                                            • Instruction ID: a69ccf46589f52d523cedfa5b555af8e95575bce60e7416ef6aeac4177a5bf43
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3edf798da742a1a67383ead948891c4ca252191c32eeff7b634738f170ced4ea
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA2151B1604755AFD340DF39A440767BBE4BB48344F04892EE098C3342E775E995CBD6
                                                                                                                                                                                                            Function 0046D110 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0041F2F4: GetCurrentThreadId.KERNEL32 ref: 0041F343
                                                                                                                                                                                                              • Part of subcall function 0041F2F4: EnumThreadWindows.USER32 ref: 0041F349
                                                                                                                                                                                                            • SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046D16E,?,00000000,?,?,0046D380,?,00000000,0046D3F4), ref: 0046D152
                                                                                                                                                                                                              • Part of subcall function 0041F3A8: IsWindow.USER32 ref: 0041F3B6
                                                                                                                                                                                                              • Part of subcall function 0041F3A8: EnableWindow.USER32(?,00000001,?,00000000,00000000,0042F7C2,0042F8D5,?,00000000,?), ref: 0041F3C5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ThreadWindow$CurrentEnableEnumPathPrepareWindowsWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3319771486-0
                                                                                                                                                                                                            • Opcode ID: 9f032309dcde971134040d123568164e642ddd2cabc1e4735cf40f63c5ed8cf9
                                                                                                                                                                                                            • Instruction ID: b16b0b1c8f0f43ce2eded6e4310be42afa410753b2a581968e322ef2fdc8cd52
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f032309dcde971134040d123568164e642ddd2cabc1e4735cf40f63c5ed8cf9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EFF0BEB1B08344BFFB05DB72EC56B6AB7A8E30A714F61447BF404861A0EAF95840852E
                                                                                                                                                                                                            Function 004169A0 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 004169D5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                                                            • Opcode ID: 055c9416affa8369aca5a52daf2b71abecd104a899c95fff13876bf4c34adbe4
                                                                                                                                                                                                            • Instruction ID: 76b9729045c620b17443a4bfae3f317f1f80b082859ffabd1d53e10c409eed5a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 055c9416affa8369aca5a52daf2b71abecd104a899c95fff13876bf4c34adbe4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FEF025B2600510AFDB84CF9CD8C0F9373ECEB0C210B0881A6FA08CF21AD220EC108BB0
                                                                                                                                                                                                            Function 00414E04 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00414E3F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2492992576-0
                                                                                                                                                                                                            • Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                                                                                                                            • Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91
                                                                                                                                                                                                            Function 00450F08 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00450F48
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: 00d3b0e571f0f9799c9202ce425a31b8579894210baf7755ca9a5e27d392a7a4
                                                                                                                                                                                                            • Instruction ID: 8219f7e09200e9d280371fd8822ce49b3febf2e1364c7dcaf59ee2aef9f1cf3d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 00d3b0e571f0f9799c9202ce425a31b8579894210baf7755ca9a5e27d392a7a4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2E0EDB53541483ED6809AAD7D42F9667DCD71A724F008033B998D7241D5619D158BE8
                                                                                                                                                                                                            Function 0042D11C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,0042D164,?,00000001,?,?,00000000,?,0042D1B6,00000000,00453169,00000000,0045318A,?,00000000), ref: 0042D147
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                                                            • Opcode ID: 52a97f63493a2405b18f7ceeeb4c5583b1fc3ffb9d272bcba16263c996160de7
                                                                                                                                                                                                            • Instruction ID: 9806b9c164805e7544688198397d180b04c1e4ca63c7d3d80aa3ce68cdb407ca
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 52a97f63493a2405b18f7ceeeb4c5583b1fc3ffb9d272bcba16263c996160de7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74E09271704704BFD701EF62DC53E6BBBECDB89B18BA14876B400E7692D6789E10D468
                                                                                                                                                                                                            Function 0042ED18 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FormatMessage
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1306739567-0
                                                                                                                                                                                                            • Opcode ID: 09ac2101c8e17b0b2705a927b8a5b1ff093a5eaf49e610a8aec8846a662564db
                                                                                                                                                                                                            • Instruction ID: 20bfa46e39afc277729b0f592bdc1926ad718625f52f7f76be7811270f12921f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09ac2101c8e17b0b2705a927b8a5b1ff093a5eaf49e610a8aec8846a662564db
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0DE0206179471216F2351416AC47B77530E43C0704F944436BF50DD3E3D6AED906465E
                                                                                                                                                                                                            Function 004062F8 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateWindowExA.USER32(00000000,00423ACC,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00406321
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                                                            • Opcode ID: 9dc46ec25ca5ecaaaae1fbad39bdca196911fb58cef97937ba07dcb482697fa8
                                                                                                                                                                                                            • Instruction ID: 1e3b386673cc32b76f3712ab4659b14af7d7742474b1f2ca80afcc4f691b27f6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9dc46ec25ca5ecaaaae1fbad39bdca196911fb58cef97937ba07dcb482697fa8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26E002B221430DBFDB00DE8ADCC1DABB7ACFB4C654F808105BB1C972528675AC608B71
                                                                                                                                                                                                            Function 0042E234 Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E260
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Create
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2289755597-0
                                                                                                                                                                                                            • Opcode ID: 5347a797c781b98567e2e52ffd135a3f9820974f1ad95a252eafdff03c881ffc
                                                                                                                                                                                                            • Instruction ID: 1b6ad3e9ff9242377371a87229ab788a86a92e19cf0220c3a89558970fe9bf90
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5347a797c781b98567e2e52ffd135a3f9820974f1ad95a252eafdff03c881ffc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 58E07EB6600119AF9B40DE8DDC81EEB37ADAB5D360F444016FA48E7200C2B8EC519BB4
                                                                                                                                                                                                            Function 00455360 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000,000000FF,0047194C,00000000,00472768,?,00000000,004727B1,?,00000000,004728EA,?,00000000,?,00000000,I), ref: 00455376
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFind
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1863332320-0
                                                                                                                                                                                                            • Opcode ID: 2037d152b961654d0701826464360efc1bc8af66d82e3674caf93459437a3ed2
                                                                                                                                                                                                            • Instruction ID: 8b71881552422ad0faea9fb58b8cbe3f8cf10286c40a53e64c89ff98b22cfa58
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2037d152b961654d0701826464360efc1bc8af66d82e3674caf93459437a3ed2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74E09BB0504A004BC714DF7A848132A77D15F84321F04C96ABC9CCB7D7E67C84154667
                                                                                                                                                                                                            Function 00414ACC Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(004972CE,?,004972F0,?,?,00000000,004972CE,?,?), ref: 00414AEB
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2492992576-0
                                                                                                                                                                                                            • Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                                                                                                                            • Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0
                                                                                                                                                                                                            Function 00407360 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00407374
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3934441357-0
                                                                                                                                                                                                            • Opcode ID: 3a95ec999e214528a4642a0263e4bef887c4bff4fae810559ecd64d74c978ed9
                                                                                                                                                                                                            • Instruction ID: 7137799a8a619894c36928dc497025c8ae4ce5b7c347e91e7b4e2a044eac2fb2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a95ec999e214528a4642a0263e4bef887c4bff4fae810559ecd64d74c978ed9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CFD05B723082507BE320A55B5C44EAB6BDCCBC5774F10063EF958D31C1D6349C01C675
                                                                                                                                                                                                            Function 00423A9C Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00423A48: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 00423A5D
                                                                                                                                                                                                            • ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7
                                                                                                                                                                                                              • Part of subcall function 00423A78: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423A94
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InfoParametersSystem$ShowWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3202724764-0
                                                                                                                                                                                                            • Opcode ID: b1c2cd61143bf12a0bef37db47b635a6d3ef0f027e429c080d83374e888f6fa5
                                                                                                                                                                                                            • Instruction ID: b4979a057c5364df20928e0f8112b75834207fc47edce7a1cb621b48fadbe9ee
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b1c2cd61143bf12a0bef37db47b635a6d3ef0f027e429c080d83374e888f6fa5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E4D0A7137811703143117BB738469BF46EC4DD26AB38808BBB5C0DB303E91E8E051278
                                                                                                                                                                                                            Function 00424714 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetWindowTextA.USER32(?,00000000), ref: 0042472C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: TextWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 530164218-0
                                                                                                                                                                                                            • Opcode ID: 0f798d55b4a563aaf07053da431746ff1fcbe1b34a54896860b3a53b831deb59
                                                                                                                                                                                                            • Instruction ID: 0401e0c0b6f3d46f422729750133087b7afca2a32056b90ced50410e3746bfe3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f798d55b4a563aaf07053da431746ff1fcbe1b34a54896860b3a53b831deb59
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17D05EE27011602BCB01BAAD54C4ACA67CC8B8936AB1440BBF908EF257C638CE458398
                                                                                                                                                                                                            Function 0042D1BC Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,?,00453399,00000000,004533B2,?,-00000001,00000000), ref: 0042D1C7
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                                                            • Opcode ID: 7c6ebe174506a89767f7ee592df00eb0c72a5955deab68b848f445c8102e14c6
                                                                                                                                                                                                            • Instruction ID: bf35e0695d646f252302ae8c05399a3b1551c06c76099583daea3b520eb86f7d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c6ebe174506a89767f7ee592df00eb0c72a5955deab68b848f445c8102e14c6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3ED022D071121001DE10A0BC28C533711880B74336BA41A33BD69E26E3C33D8823542C
                                                                                                                                                                                                            Function 0042D174 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00451D0F,00000000), ref: 0042D17F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AttributesFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3188754299-0
                                                                                                                                                                                                            • Opcode ID: 176281895ea3e42f60d60676608de6346bb49bc8ae14b0fa01ac27964d7a3955
                                                                                                                                                                                                            • Instruction ID: 86baad2ceceaa6a85e65f17f0286784d9b66173697f2cc348ab0aa8737b1e759
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 176281895ea3e42f60d60676608de6346bb49bc8ae14b0fa01ac27964d7a3955
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C9C080D0711210155E10A5BD1CC556703C849543793540F37B068D66D2D13D8466202C
                                                                                                                                                                                                            Function 004677CC Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00468491,00000000,00000000,00000000,0000000C,00000000), ref: 004677E4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CallbackDispatcherUser
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2492992576-0
                                                                                                                                                                                                            • Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                                                                                                                            • Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0
                                                                                                                                                                                                            Function 00407310 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040AB24,0040D0D0,?,00000000,?), ref: 0040732D
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: 209b0ba7fd8c5b4a24ef9a539f4d873392a5060120ce01350303422817e34c0d
                                                                                                                                                                                                            • Instruction ID: a78e408fffc15bc8d0ee8a54c686fbaa4e2694f5c3f88f37cecd524e454749ad
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 209b0ba7fd8c5b4a24ef9a539f4d873392a5060120ce01350303422817e34c0d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: ADC048B13C130032F93025A61C87F1604889714B1AE60943AB740BE1C2D8E9A818016C
                                                                                                                                                                                                            Function 004504A8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,004506B4,00000000,?,00469063,0000000C,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,?), ref: 004504C6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                                                            • Opcode ID: 26d24d78127bedaa8bd94fa6176c523188c8219f80ea813ea250164edc493aa3
                                                                                                                                                                                                            • Instruction ID: d31243997fce6a081680f754dd08e5339b9cfa2d37494deb9f472b2c5ff9ad0f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26d24d78127bedaa8bd94fa6176c523188c8219f80ea813ea250164edc493aa3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1AD092B1925244AECB10AB26EA0430232B0E364316F404037E60095163C33988958F8C
                                                                                                                                                                                                            Function 00451070 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetEndOfFile.KERNEL32(?,?,0045CB3E,00000000,0045CCC9,?,00000000,00000002,00000002), ref: 00451077
                                                                                                                                                                                                              • Part of subcall function 00450DF8: GetLastError.KERNEL32(00450C14,00450EBA,?,00000000,?,00499714,00000001,00000000,00000002,00000000,00499875,?,?,00000005,00000000,004998A9), ref: 00450DFB
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFileLast
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 734332943-0
                                                                                                                                                                                                            • Opcode ID: 46bffcc4190b32f1737510e309765b0f9d847fb6a3bc417c92e668a4702f1f8e
                                                                                                                                                                                                            • Instruction ID: c64e7bd530bf7aca0fb3f38fdfe864b922b4b7832701085435935f337d1370ec
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 46bffcc4190b32f1737510e309765b0f9d847fb6a3bc417c92e668a4702f1f8e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0BC04CA5340140578F40A6AE85C1A1663DC9E193493504066B904DF657D669D8484A15
                                                                                                                                                                                                            Function 004076F8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetCurrentDirectoryA.KERNEL32(00000000,?,004996A2,00000000,00499875,?,?,00000005,00000000,004998A9,?,?,00000000), ref: 00407703
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CurrentDirectory
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1611563598-0
                                                                                                                                                                                                            • Opcode ID: f8e5bc84ed77a990345a18ebfce7b3b4d36d471a9523976a67f94f28f3ebd8b5
                                                                                                                                                                                                            • Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f8e5bc84ed77a990345a18ebfce7b3b4d36d471a9523976a67f94f28f3ebd8b5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514
                                                                                                                                                                                                            Function 0047E3D0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000,00482E1B), ref: 0047E3E6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FreeLibrary
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3664257935-0
                                                                                                                                                                                                            • Opcode ID: 6c53cdab159c99083d4d98b8786732a30233f1b333e0139ad3d8075ed81d35ad
                                                                                                                                                                                                            • Instruction ID: be2fe49a244c431ec9946715e535269e6deba234050b303873a188c7b9bcae40
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c53cdab159c99083d4d98b8786732a30233f1b333e0139ad3d8075ed81d35ad
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C5C00271511210AED750DFBA9D4C75637D4A71832AF068477F40CC3160F6344840CB09
                                                                                                                                                                                                            Function 0042E83F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetErrorMode.KERNEL32(?,0042E85D), ref: 0042E850
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorMode
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                                                                                            • Opcode ID: bbf0f8014a804afebd1604ab393a38912dcaab738292d82ddfa54d7cc6c30dd0
                                                                                                                                                                                                            • Instruction ID: 289f6c2202f902c5fbbb0b24ee8d848b414576690a26c35d590b8c03c3951524
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bbf0f8014a804afebd1604ab393a38912dcaab738292d82ddfa54d7cc6c30dd0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A7B09B76B0C6005DF705D6D5745152D63D4D7C57203E1457BF454D35C0D93C58004918
                                                                                                                                                                                                            Function 00483058 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: MessagePost
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 410705778-0
                                                                                                                                                                                                            • Opcode ID: a0c6aa8902cc3208d5e04c02e1b2d56b9c79d5a4ff1a08c822a552ee674eaf65
                                                                                                                                                                                                            • Instruction ID: a049f017766f74ee94b83235d94ec2d7737a3ea42143ca09c2755b46fea829eb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0c6aa8902cc3208d5e04c02e1b2d56b9c79d5a4ff1a08c822a552ee674eaf65
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7FA002343D530430F47463510D13F4400402744F15EE1409573053D0C304D82424201D
                                                                                                                                                                                                            Function 00416A3C Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DestroyWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3375834691-0
                                                                                                                                                                                                            • Opcode ID: 7c218e59c1dd1ff03dc8e849b9cf22d0cf8864dd38f6abff84783c2b34ac62d8
                                                                                                                                                                                                            • Instruction ID: 951f12253bcdbe2be33f1d7372765b1b3ebb510443260a24e1bbd496af9ec3c9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c218e59c1dd1ff03dc8e849b9cf22d0cf8864dd38f6abff84783c2b34ac62d8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AFA002755015409ADB10E7A5C84DF7A2298BF44204FD905FA714CA7052C53CD9008A55
                                                                                                                                                                                                            Function 0047F09C Relevance: 1.4, APIs: 1, Instructions: 157COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,0047F287,?,?,?,?,00000000,00000000,00000000,00000000), ref: 0047F241
                                                                                                                                                                                                              • Part of subcall function 0042CE50: GetSystemMetrics.USER32(0000002A), ref: 0042CE62
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ByteCharMetricsMultiSystemWide
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 224039744-0
                                                                                                                                                                                                            • Opcode ID: f52afbad91b667b6f6308f5f7be5f2f829de3790a0e249e9b62606124138a6e4
                                                                                                                                                                                                            • Instruction ID: 496bb1a5f94cf580fd05206e04ab07141ed402b11bdf28edaa456749bafa96dd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f52afbad91b667b6f6308f5f7be5f2f829de3790a0e249e9b62606124138a6e4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D51B670600245FFDB10DFA6D884B9AB7F8EB19308F518077E804A73A2D778AD49CB59
                                                                                                                                                                                                            Function 0045D794 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78
                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,00000000,?,?,00000000,0045D834), ref: 0045D80D
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFullLastNamePath
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2157422313-0
                                                                                                                                                                                                            • Opcode ID: 9496637c5be4f45600dd852a490db853eaf0602299792abc810e83aca145d4fa
                                                                                                                                                                                                            • Instruction ID: e271e1d84c0b7232cbeee5b0715f984ebfaf7416c270e3c33bd16b7cbb57140a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9496637c5be4f45600dd852a490db853eaf0602299792abc810e83aca145d4fa
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E113370B04204AFDB10EEA9CCC19AEB7E8DF49315F60457AFC14E3382D6789F099655
                                                                                                                                                                                                            Function 0041F814 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041F1F4,?,00423CDF,0042405C,0041F1F4), ref: 0041F832
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                            • Opcode ID: 3cd9b2b82d3c03bb1042e3aec431f22b9c9f9b479e5e8d2dc048638413a345c3
                                                                                                                                                                                                            • Instruction ID: 12b252a98648104a36852bc9e66bdd9c626d3d2234b6f24232172dde86ff5d2a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3cd9b2b82d3c03bb1042e3aec431f22b9c9f9b479e5e8d2dc048638413a345c3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA1148746007059BCB10DF19C880B82FBE4EB98350F10C53AE9588B385D374E849CBA8
                                                                                                                                                                                                            Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • VirtualFree.KERNEL32(00000000,00000000,00004000,?,?,?,?,?,00401973), ref: 00401766
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FreeVirtual
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1263568516-0
                                                                                                                                                                                                            • Opcode ID: c75a05877fa6d12c6d50048bf692a8cb9b872a1b30c0c7aeae6369689fd3dcf9
                                                                                                                                                                                                            • Instruction ID: 191f0f4b7cd680364798b3dc381f6aadc2f07e0dbee61be3c45a65ffd8c3a871
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c75a05877fa6d12c6d50048bf692a8cb9b872a1b30c0c7aeae6369689fd3dcf9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E01FC766442148FC3109E29DCC0E2677E8D794378F15453EDA85673A1D37A7C4187D8
                                                                                                                                                                                                            Function 00453708 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00453771), ref: 00453753
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1452528299-0
                                                                                                                                                                                                            • Opcode ID: 23d18d59897e39bc4499862bac3fc6016057085f4d4fb8d535a9825dcce29caf
                                                                                                                                                                                                            • Instruction ID: c77a4f58350eb22b54b4dfaca8229fa0e9126d3262ef2898ea61e0989ca8d5dd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 23d18d59897e39bc4499862bac3fc6016057085f4d4fb8d535a9825dcce29caf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24014CB5A042046B8701DF69A8114AEFBE8DB4D3617208277FC64D3342D7345E059764

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 0041F568 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersion.KERNEL32(?,00419440,00000000,?,?,?,00000001), ref: 0041F576
                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F592
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F59E
                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419440,00000000,?,?,?,00000001), ref: 0041F5AC
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F5DC
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F605
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F61A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F62F
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F644
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F659
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F66E
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F683
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F698
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F6AD
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000001,?,00419440,00000000,?,?,?,00000001), ref: 0041F6BF
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
                                                                                                                                                                                                            • String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
                                                                                                                                                                                                            • API String ID: 2323315520-3614243559
                                                                                                                                                                                                            • Opcode ID: 7f93fe397e684a103bce9d62382bab99a389729839f73a4ae53f62d0e5e878ce
                                                                                                                                                                                                            • Instruction ID: 05ddd3b6a7babc3b5f2b58818bfec20f43c940fb7309246182468bed43dc01b1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f93fe397e684a103bce9d62382bab99a389729839f73a4ae53f62d0e5e878ce
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C93104B1A00604BBD710EF75BD46A6933A4F728B28B59093BB148D71A2E77C9C468F5C
                                                                                                                                                                                                            Function 00458DC4 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00458E2B
                                                                                                                                                                                                            • QueryPerformanceCounter.KERNEL32(00000000,00000000,004590BE,?,?,00000000,00000000,?,004597BA,?,00000000,00000000), ref: 00458E34
                                                                                                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458E3E
                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00000000,004590BE,?,?,00000000,00000000,?,004597BA,?,00000000,00000000), ref: 00458E47
                                                                                                                                                                                                            • CreateNamedPipeA.KERNEL32 ref: 00458EBD
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00458ECB
                                                                                                                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,0049BB24,00000003,00000000,00000000,00000000,0045907A,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 00458F13
                                                                                                                                                                                                            • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00459069,?,00000000,C0000000,00000000,0049BB24,00000003,00000000,00000000,00000000,0045907A), ref: 00458F4C
                                                                                                                                                                                                              • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                                            • CreateProcessA.KERNEL32 ref: 00458FF5
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0045902B
                                                                                                                                                                                                            • CloseHandle.KERNEL32(000000FF,00459070,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00459063
                                                                                                                                                                                                              • Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                                                                                                                                                                            • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                                                                                                                                                                            • API String ID: 770386003-3271284199
                                                                                                                                                                                                            • Opcode ID: 588258891636d6961f6f973a73ca3d63e7b3c2cb37b3ea655e6ca71426862519
                                                                                                                                                                                                            • Instruction ID: c4bf9a6304175502231bb311a6f33329fdfd9ee29416440b986483e0f2b1c780
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 588258891636d6961f6f973a73ca3d63e7b3c2cb37b3ea655e6ca71426862519
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9071F270A00654DADB10DF65CC46B9E7BF8EB05705F1045AAF908FB282DB785D448F69
                                                                                                                                                                                                            Function 0047974C Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 004795B8: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02317A1C,?,?,?,02317A1C,0047977C,00000000,0047989A,?,?,?,?), ref: 004795D1
                                                                                                                                                                                                              • Part of subcall function 004795B8: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004795D7
                                                                                                                                                                                                              • Part of subcall function 004795B8: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02317A1C,?,?,?,02317A1C,0047977C,00000000,0047989A,?,?,?,?), ref: 004795EA
                                                                                                                                                                                                              • Part of subcall function 004795B8: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02317A1C,?,?,?,02317A1C), ref: 00479614
                                                                                                                                                                                                              • Part of subcall function 004795B8: CloseHandle.KERNEL32(00000000,?,?,?,02317A1C,0047977C,00000000,0047989A,?,?,?,?), ref: 00479632
                                                                                                                                                                                                              • Part of subcall function 00479690: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00479722,?,?,?,02317A1C,?,00479784,00000000,0047989A,?,?,?,?), ref: 004796C0
                                                                                                                                                                                                            • ShellExecuteEx.SHELL32 ref: 004797D4
                                                                                                                                                                                                            • GetLastError.KERNEL32(0000003C,00000000,0047989A,?,?,?,?), ref: 004797DD
                                                                                                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF,00000000,00479878,?,0000003C,00000000,0047989A,?,?,?,?), ref: 0047982A
                                                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 0047984E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,0047987F,00000000,00000000,000000FF,000000FF,00000000,00479878,?,0000003C,00000000,0047989A,?,?,?,?), ref: 00479872
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
                                                                                                                                                                                                            • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                                                                                                                                                                            • API String ID: 883996979-221126205
                                                                                                                                                                                                            • Opcode ID: f75691c6988614191e08cddca8c11734c2160cae10b5dfc7f4e0ecb506ded385
                                                                                                                                                                                                            • Instruction ID: ef977962423105e2be3f30a06cf623b0e2f7e3d3d4ebd630472f9d2e264b432c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f75691c6988614191e08cddca8c11734c2160cae10b5dfc7f4e0ecb506ded385
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35314471910204AADB10FFAA88416DEBAB8EF45314F51857FF518F7281D77C8D058B1A
                                                                                                                                                                                                            Function 00422CAC Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 00422E44
                                                                                                                                                                                                            • ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,0042300E), ref: 00422E54
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: MessageSendShowWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1631623395-0
                                                                                                                                                                                                            • Opcode ID: 36355cfa0875aaa4458376ac3789857d0c40b428c5d374d31eae9acbb1f2989b
                                                                                                                                                                                                            • Instruction ID: bacc4b86db7cb1d0e13acf93141a7ddfdaa0ad6c2af5cb9121abc77d57b19b6c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 36355cfa0875aaa4458376ac3789857d0c40b428c5d374d31eae9acbb1f2989b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B916270B14254AFD700DBA9DB46F9E77F4AB04304F5600B6F904AB292C7B8AE01AB58
                                                                                                                                                                                                            Function 004187D4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • IsIconic.USER32 ref: 004187E3
                                                                                                                                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 00418800
                                                                                                                                                                                                            • GetWindowRect.USER32(?), ref: 0041881C
                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0041882A
                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000F8), ref: 0041883F
                                                                                                                                                                                                            • ScreenToClient.USER32(00000000), ref: 00418848
                                                                                                                                                                                                            • ScreenToClient.USER32(00000000,?), ref: 00418853
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$ClientLongScreen$IconicPlacementRect
                                                                                                                                                                                                            • String ID: ,
                                                                                                                                                                                                            • API String ID: 2266315723-3772416878
                                                                                                                                                                                                            • Opcode ID: b787cf8406b328f9ec3a8af6233a206f78ef01905e488829e8331a9627355685
                                                                                                                                                                                                            • Instruction ID: c8128d77bd0d7ceb2c04d713c679bf83e48da9b619e6265fa23865d78167b210
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b787cf8406b328f9ec3a8af6233a206f78ef01905e488829e8331a9627355685
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B111971505201ABDB00EF69C885E9B77E8AF48314F140A7EB958DB286C738D900CB65
                                                                                                                                                                                                            Function 0042F71C Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • IsIconic.USER32 ref: 0042F744
                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 0042F758
                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0042F76F
                                                                                                                                                                                                            • GetActiveWindow.USER32(?,00000000,?), ref: 0042F778
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F7A5
                                                                                                                                                                                                            • SetActiveWindow.USER32(?,0042F8D5,?,00000000,?), ref: 0042F7C6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$ActiveLong$IconicMessage
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1633107849-0
                                                                                                                                                                                                            • Opcode ID: 49306f5a5aea126db747c93f7e274e0cd8a3885b454e69ee071c1ce4e6e90790
                                                                                                                                                                                                            • Instruction ID: 4c2db8bb30fa69d0e852579bfabd785c91e73d104037fd1269e13a33cc275b58
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 49306f5a5aea126db747c93f7e274e0cd8a3885b454e69ee071c1ce4e6e90790
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D31B170A00654AFDB01EFB5DC52D6EBBF8EB09704B9244BBF804E7291D6389D04CB18
                                                                                                                                                                                                            Function 00455D80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 00455D8F
                                                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00455D95
                                                                                                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00455DAE
                                                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455DD5
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00455DDA
                                                                                                                                                                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 00455DEB
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                                                                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                                                                                                            • API String ID: 107509674-3733053543
                                                                                                                                                                                                            • Opcode ID: 082306ff38d6c760ea0c9f1032eabff53d8a831f0171a5046667534f49f86738
                                                                                                                                                                                                            • Instruction ID: 02e3d1fa5e569da00b44776faf89310fbaa28c239a726f1a6525e170f6cce7ee
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 082306ff38d6c760ea0c9f1032eabff53d8a831f0171a5046667534f49f86738
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55F06871294B02BAE650A6718C1BF7B21A8DB40749F50892ABD41EA1C3D7BDD40C8A7A
                                                                                                                                                                                                            Function 0049998C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000,00499CA8,?,?,00000000,0049D62C), ref: 004999E3
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00499A66
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00499AA2,?,00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000), ref: 00499A7E
                                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,00499AA9,00499AA2,?,00000000,?,00000000,00499ACA,?,?,00000000,0049D62C,?,00499C54,00000000,00499CA8), ref: 00499A9C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$AttributesCloseFirstNext
                                                                                                                                                                                                            • String ID: isRS-$isRS-???.tmp
                                                                                                                                                                                                            • API String ID: 134685335-3422211394
                                                                                                                                                                                                            • Opcode ID: 95b3f25cf4ec60d39bc400f980b771d31e145dcc29cfc9c7f6bb2460c5483c6d
                                                                                                                                                                                                            • Instruction ID: e7bbbac40fef3dfc3cc8058b31a588cc53a4b1370f1491e53b11de7997221e0f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 95b3f25cf4ec60d39bc400f980b771d31e145dcc29cfc9c7f6bb2460c5483c6d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98318871A015586FDF10EF66CC41ADEBBBCDB45304F5184BBA808A32A1DA389F45CE58
                                                                                                                                                                                                            Function 00457D90 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • PostMessageA.USER32 ref: 00457E0D
                                                                                                                                                                                                            • PostMessageA.USER32 ref: 00457E34
                                                                                                                                                                                                            • SetForegroundWindow.USER32(?), ref: 00457E45
                                                                                                                                                                                                            • NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,0045811D,?,00000000,00458159), ref: 00458108
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Cannot evaluate variable because [Code] isn't running yet, xrefs: 00457F88
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: MessagePostWindow$ForegroundNtdllProc_
                                                                                                                                                                                                            • String ID: Cannot evaluate variable because [Code] isn't running yet
                                                                                                                                                                                                            • API String ID: 2236967946-3182603685
                                                                                                                                                                                                            • Opcode ID: 685519442a570b48cb17621a111e6bc8b93d65fea83153691f85968c0254f361
                                                                                                                                                                                                            • Instruction ID: fc8679ff921622e129be82b5c7b8b9d6156041410e322bf9d6052ebf871bd799
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 685519442a570b48cb17621a111e6bc8b93d65fea83153691f85968c0254f361
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8911234604204DFDB15CF55D952F1ABBF9EB88700F2180BAED04AB792CB79AE05CB58
                                                                                                                                                                                                            Function 004565A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,004566E7), ref: 004565D8
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004565DE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                            • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                                                                                                                                                                            • API String ID: 1646373207-3712701948
                                                                                                                                                                                                            • Opcode ID: 25df71702425412e55e0ebe1ec94dd27c79a220fb61393adf873e88db180ab3d
                                                                                                                                                                                                            • Instruction ID: b48cc3d91c9fc3d8a1033014b63779c50d18bc65ef0bc06e4cd1291adb105b9d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 25df71702425412e55e0ebe1ec94dd27c79a220fb61393adf873e88db180ab3d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A2417471A00249AFCF01EFA5C8829EFBBB8EF48304F514567F800F7252D6795D098B69
                                                                                                                                                                                                            Function 00418120 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • IsIconic.USER32 ref: 0041815F
                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0041817D
                                                                                                                                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 004181B3
                                                                                                                                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004181DA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$Placement$Iconic
                                                                                                                                                                                                            • String ID: ,
                                                                                                                                                                                                            • API String ID: 568898626-3772416878
                                                                                                                                                                                                            • Opcode ID: 3939ae1d6e1c590614f47c3d4bcf148a2532e1c37498b01d3d2c2056b4d5783c
                                                                                                                                                                                                            • Instruction ID: 655d5dfc889397085a04c255a013ff48624dbcd9c32011b5bbe491b24769000a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3939ae1d6e1c590614f47c3d4bcf148a2532e1c37498b01d3d2c2056b4d5783c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3C211D72600204ABDF00EF69CCC1ADA77E8AF49314F55456AFD18DF246CB78D9458BA8
                                                                                                                                                                                                            Function 004648D0 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00464A8D), ref: 00464901
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464990
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00464A42,?,00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464A22
                                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,00464A49,00464A42,?,00000000,?,00000000,00464A60,?,00000001,00000000,00464A8D), ref: 00464A3C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4011626565-0
                                                                                                                                                                                                            • Opcode ID: 9c4269f61b84920ca12822ed024a471ff72fe9e9b28da976123b0901a486667e
                                                                                                                                                                                                            • Instruction ID: ae00aa0afc7aa582470d59ca75ba9400823c3a1943f8949d3747a5def8a0c8eb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9c4269f61b84920ca12822ed024a471ff72fe9e9b28da976123b0901a486667e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B541C570A00658AFDF11EFA5DC45ADEB7B8EB89305F4044BAF404E7381E63C9E488E19
                                                                                                                                                                                                            Function 00464D4C Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetErrorMode.KERNEL32(00000001,00000000,00464F33), ref: 00464DC1
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464E07
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,00464EE0,?,00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464EBC
                                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,00464EE7,00464EE0,?,00000000,?,00000000,00464EFE,?,00000001,00000000,00464F33), ref: 00464EDA
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Find$File$CloseErrorFirstModeNext
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4011626565-0
                                                                                                                                                                                                            • Opcode ID: bf41e3cc1b133229262ffb54fabbd49d98797372cd5bfa19d660c2805fd8b5e1
                                                                                                                                                                                                            • Instruction ID: 8e27f6cc4c7e55bed8f6d5ebd72a4c3c722eac7afebeb0f1b00dc6af3d7f2fe3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bf41e3cc1b133229262ffb54fabbd49d98797372cd5bfa19d660c2805fd8b5e1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 31416535A006589FCB11EFA5CD859DEB7B9FBC8305F5044AAF804E7341EB389E448E59
                                                                                                                                                                                                            Function 0042ED84 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDA6
                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042EDD1
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDDE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDE6
                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,00453683,00000000,004536A4), ref: 0042EDEC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast$CloseControlCreateDeviceFileHandle
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1177325624-0
                                                                                                                                                                                                            • Opcode ID: 060edd20a8b9ef3e5187fa71c6153c8dffa7266a06f07a40ca48e996766aa3cd
                                                                                                                                                                                                            • Instruction ID: d5f14a2582f403684e4f7b299b1070748df424b87161b08669007267f0031b9d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 060edd20a8b9ef3e5187fa71c6153c8dffa7266a06f07a40ca48e996766aa3cd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 21F0F0723A07203AF620B17A6C82F7F018CC784B68F10423AF704FF1D1D9A84D0515AD
                                                                                                                                                                                                            Function 00484D28 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • IsIconic.USER32 ref: 00484D66
                                                                                                                                                                                                            • GetWindowLongA.USER32(00000000,000000F0), ref: 00484D84
                                                                                                                                                                                                            • ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049E0AC,00484242,00484276,00000000,00484296,?,?,?,0049E0AC), ref: 00484DA6
                                                                                                                                                                                                            • ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049E0AC,00484242,00484276,00000000,00484296,?,?,?,0049E0AC), ref: 00484DBA
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$Show$IconicLong
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2754861897-0
                                                                                                                                                                                                            • Opcode ID: 6d02ab3679acd20c13477f6129401e215db0be7c9c4dcc708735b62ecc99512f
                                                                                                                                                                                                            • Instruction ID: c453c85064c149f2f8de5328ae0569b6634ad2f96c4c2f1b45344ef68f201c80
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6d02ab3679acd20c13477f6129401e215db0be7c9c4dcc708735b62ecc99512f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D015E706002129EDB10FB769D89B9A22D95B50344F19083FB8449B2E2CB7C9841975C
                                                                                                                                                                                                            Function 00463344 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,00463418), ref: 0046339C
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,004633F8,?,00000000,?,00000000,00463418), ref: 004633D8
                                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,004633FF,004633F8,?,00000000,?,00000000,00463418), ref: 004633F2
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3541575487-0
                                                                                                                                                                                                            • Opcode ID: 7c5a373344a681de92fecfb08138b0c42bf8f9877b9eb60383b953f92d76aded
                                                                                                                                                                                                            • Instruction ID: 0500e82312f9f08261d57c94a6d9b1f58695be5d4d7593f033a5dbf80f84d4fc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c5a373344a681de92fecfb08138b0c42bf8f9877b9eb60383b953f92d76aded
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1421DB315046886FDB11DF66CC41ADEB7ACDB49305F5084F7B808D3251EA389F44C959
                                                                                                                                                                                                            Function 0042462C Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • IsIconic.USER32 ref: 00424634
                                                                                                                                                                                                            • SetActiveWindow.USER32(?,?,?,?,0046DA13), ref: 00424641
                                                                                                                                                                                                              • Part of subcall function 00423A9C: ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7
                                                                                                                                                                                                              • Part of subcall function 00423F64: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,023125AC,0042465A,?,?,?,?,0046DA13), ref: 00423F9F
                                                                                                                                                                                                            • SetFocus.USER32(00000000,?,?,?,?,0046DA13), ref: 0042466E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$ActiveFocusIconicShow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 649377781-0
                                                                                                                                                                                                            • Opcode ID: f6b17c850702daf3fe2f22264f5d8e983b40a127641bef431db8629b7e0b9e45
                                                                                                                                                                                                            • Instruction ID: 5ae1608fbac1b61a262bbd8080f57afdf1b64e8a1d97d82fcb33e84f02d7d1dc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f6b17c850702daf3fe2f22264f5d8e983b40a127641bef431db8629b7e0b9e45
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DBF0D07170122187CB00BFA9D9C5A9633A8AF48714B56407BBD09DF25BC67CDC458768
                                                                                                                                                                                                            Function 0042F254 Relevance: 4.5, APIs: 3, Instructions: 28synchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 0042F261
                                                                                                                                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,00000001,00000001), ref: 0042F271
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042F299
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DescriptorSecurity$CreateDaclInitializeMutex
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3525989157-0
                                                                                                                                                                                                            • Opcode ID: 296a65e85b4cf530d2912259c248fa0dd98adb1b483a3bccc15e2a953cf47158
                                                                                                                                                                                                            • Instruction ID: b330794617a7040f76ad0da05c7b1ee5a1856395dd3e8d048ce20caf316d4231
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 296a65e85b4cf530d2912259c248fa0dd98adb1b483a3bccc15e2a953cf47158
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18E0C0B16443007EE200EE758C82F5F76DCDB48714F00483AB654DB1C1E679D9489B96
                                                                                                                                                                                                            Function 0041811E Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • IsIconic.USER32 ref: 0041815F
                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0041817D
                                                                                                                                                                                                            • GetWindowPlacement.USER32(?,0000002C), ref: 004181B3
                                                                                                                                                                                                            • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 004181DA
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$Placement$Iconic
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 568898626-0
                                                                                                                                                                                                            • Opcode ID: add44dc6c1a8246b0274be2cc60e43faf0e8d0d1d4c3491e9dc610c53a27efe0
                                                                                                                                                                                                            • Instruction ID: b17f17ea660f77e7302433a0225cb82371cce2f83056bcd31e3690383aca5fbc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: add44dc6c1a8246b0274be2cc60e43faf0e8d0d1d4c3491e9dc610c53a27efe0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E5012C72300104BBDF10EE69CCC1EEB7798AB55364F55416AFD18DF242DA38ED8287A8
                                                                                                                                                                                                            Function 004179E8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CaptureIconic
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2277910766-0
                                                                                                                                                                                                            • Opcode ID: 99a5272a522ae5b86843bbc46bcec4048f688ae804ae57258cbc35cfbf0e7084
                                                                                                                                                                                                            • Instruction ID: c42435c704d87005acf5b6d7044dd68bff31d3bfeee1bac994fdbb5906758c2c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 99a5272a522ae5b86843bbc46bcec4048f688ae804ae57258cbc35cfbf0e7084
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 79F049313446014BD720A72DC889AAF62F99F84394B1C643BE41AC7756EB7DDDC48758
                                                                                                                                                                                                            Function 004245E4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • IsIconic.USER32 ref: 004245EB
                                                                                                                                                                                                              • Part of subcall function 00423ED4: EnumWindows.USER32(00423E6C), ref: 00423EF8
                                                                                                                                                                                                              • Part of subcall function 00423ED4: GetWindow.USER32(?,00000003), ref: 00423F0D
                                                                                                                                                                                                              • Part of subcall function 00423ED4: GetWindowLongA.USER32(?,000000EC), ref: 00423F1C
                                                                                                                                                                                                              • Part of subcall function 00423ED4: SetWindowPos.USER32(00000000,004245AC,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004245FB,?,?,004241C3), ref: 00423F52
                                                                                                                                                                                                            • SetActiveWindow.USER32(?,?,?,004241C3,00000000,004245AC), ref: 004245FF
                                                                                                                                                                                                              • Part of subcall function 00423A9C: ShowWindow.USER32(004108B0,00000009,?,00000000,0041F1F4,00423D8A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,0042405C), ref: 00423AB7
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$ActiveEnumIconicLongShowWindows
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2671590913-0
                                                                                                                                                                                                            • Opcode ID: 1a354955b864757cfaa5613f9b306845f8d366a619694d2750710a135c8cdae9
                                                                                                                                                                                                            • Instruction ID: 0eb0e95855424de6865fa4d756a676c77cd5728601e575884a8a50090c80911a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a354955b864757cfaa5613f9b306845f8d366a619694d2750710a135c8cdae9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3BE01A6070010187DB00EFAAE8C4B8622A8BF88305F55017ABC08CF24BDA3CDC048728
                                                                                                                                                                                                            Function 00412A28 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,00412C25), ref: 00412C13
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: NtdllProc_Window
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4255912815-0
                                                                                                                                                                                                            • Opcode ID: de892e97fbd68e1bb7582f7974717f862a539d23c567f166e41cd9819a8f42aa
                                                                                                                                                                                                            • Instruction ID: cdfe5c129d614e166dcfab814c58775b37bd24f4e82d9105b90a581207f53ed6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: de892e97fbd68e1bb7582f7974717f862a539d23c567f166e41cd9819a8f42aa
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0451C2316082058FC720DF6AD781A9AF3E5EF98304B2086ABD904C7351EAB9ED91C74D
                                                                                                                                                                                                            Function 00479D08 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 00479E56
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: NtdllProc_Window
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4255912815-0
                                                                                                                                                                                                            • Opcode ID: 462738d441aef1136b86fc8094aec41bc4a49bb6b5bf6afc55cbfc6645c50547
                                                                                                                                                                                                            • Instruction ID: 77384fbc8b33c5310ab19163c687e45bac72601044cd1e9f95c219b02d082465
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 462738d441aef1136b86fc8094aec41bc4a49bb6b5bf6afc55cbfc6645c50547
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71414A75604105EFCB20CF99C6808AAB7F5EB48310B74C9A6E849DB745D338EE41DB94
                                                                                                                                                                                                            Function 0044BB28 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 282libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0044BAA4: GetVersionExA.KERNEL32(00000094), ref: 0044BAC1
                                                                                                                                                                                                              • Part of subcall function 0044BAF8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044BB10
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,0044BF0B,?,?,?,?,00000000,00000000,?,0044FD4D,0049A4DA), ref: 0044BB8A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BBA2
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BBB4
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BBC6
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BBD8
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBEA
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBFC
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BC0E
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BC20
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BC32
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BC44
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BC56
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BC68
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BC7A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044BC8C
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044BC9E
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044BCB0
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044BCC2
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044BCD4
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044BCE6
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044BCF8
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044BD0A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044BD1C
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044BD2E
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044BD40
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044BD52
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044BD64
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044BD76
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044BD88
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044BD9A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044BDAC
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044BDBE
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044BDD0
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044BDE2
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044BDF4
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044BE06
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044BE18
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044BE2A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044BE3C
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044BE4E
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044BE60
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044BE72
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044BE84
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044BE96
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044BEA8
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044BEBA
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044BECC
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044BEDE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$DirectoryLibraryLoadSystemVersion
                                                                                                                                                                                                            • String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
                                                                                                                                                                                                            • API String ID: 2754715182-2910565190
                                                                                                                                                                                                            • Opcode ID: 2001b9481bd4323523c3a6d9ee5d3feebd5ce703d364f315cb0e33d3a930df2d
                                                                                                                                                                                                            • Instruction ID: 345b4916510d3cb7c096cba84ec2b1d1bd9d6ff2ab3c947e91cb1c242a843473
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2001b9481bd4323523c3a6d9ee5d3feebd5ce703d364f315cb0e33d3a930df2d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 49A16AB0A41A50EBEB00EFF5DC86A2A37A8EB15B14B1405BBB444EF295D678DC048F5D
                                                                                                                                                                                                            Function 00493FEC Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNEL32(00000000,00000000,004944E1,?,?,?,?,00000000,00000000,00000000), ref: 0049402C
                                                                                                                                                                                                            • FindWindowA.USER32 ref: 0049405D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FindSleepWindow
                                                                                                                                                                                                            • String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
                                                                                                                                                                                                            • API String ID: 3078808852-3310373309
                                                                                                                                                                                                            • Opcode ID: 440ea2a378728cb60bd6447d57bf3ec1db7f0b39e7025f77ea846c71da36df6a
                                                                                                                                                                                                            • Instruction ID: aaf63752e06fee66a7d05b71673dc8e7902340e663ecb0da5339ca9489632561
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 440ea2a378728cb60bd6447d57bf3ec1db7f0b39e7025f77ea846c71da36df6a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7EC14060B0421027DB14FB7ACC4692E5A999BD4704750CA3FB40AEB78BDE3CDC0B4799
                                                                                                                                                                                                            Function 0041CE5C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetDC.USER32 ref: 0041CE90
                                                                                                                                                                                                            • CreateCompatibleDC.GDI32(?), ref: 0041CE9C
                                                                                                                                                                                                            • CreateBitmap.GDI32 ref: 0041CEC0
                                                                                                                                                                                                            • CreateCompatibleBitmap.GDI32 ref: 0041CED0
                                                                                                                                                                                                            • SelectObject.GDI32(0041D28C,00000000), ref: 0041CEEB
                                                                                                                                                                                                            • FillRect.USER32 ref: 0041CF26
                                                                                                                                                                                                            • SetTextColor.GDI32(0041D28C,00000000), ref: 0041CF3B
                                                                                                                                                                                                            • SetBkColor.GDI32(0041D28C,00000000), ref: 0041CF52
                                                                                                                                                                                                            • PatBlt.GDI32(0041D28C,00000000,00000000,0041AD94,?,00FF0062), ref: 0041CF68
                                                                                                                                                                                                            • CreateCompatibleDC.GDI32(?), ref: 0041CF7B
                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041CFAC
                                                                                                                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000001), ref: 0041CFC4
                                                                                                                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041CFCD
                                                                                                                                                                                                            • SelectPalette.GDI32(0041D28C,00000000,00000001), ref: 0041CFDC
                                                                                                                                                                                                            • RealizePalette.GDI32(0041D28C), ref: 0041CFE5
                                                                                                                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041CFFE
                                                                                                                                                                                                            • SetBkColor.GDI32(00000000,00000000), ref: 0041D015
                                                                                                                                                                                                            • BitBlt.GDI32(0041D28C,00000000,00000000,0041AD94,?,00000000,00000000,00000000,00CC0020), ref: 0041D031
                                                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041D03E
                                                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041D054
                                                                                                                                                                                                              • Part of subcall function 0041A4A8: GetSysColor.USER32(?), ref: 0041A4B2
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ColorSelect$CreatePalette$CompatibleObject$BitmapRealizeText$DeleteFillRect
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 269503290-0
                                                                                                                                                                                                            • Opcode ID: 5e0ecd7f746a94368510dc98cd5b3d13ae19e4ca4739b00519ae71ef4424a664
                                                                                                                                                                                                            • Instruction ID: f3cd37e79d0242250547ce8a95e3067296a2558137ee74c5e82542f4c8f5946c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5e0ecd7f746a94368510dc98cd5b3d13ae19e4ca4739b00519ae71ef4424a664
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6F61CD71A44604AFDB10EBE9DC46FAFB7B8EF48704F10446AF504E7281C67CA9418B69
                                                                                                                                                                                                            Function 00456DD4 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 310comCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CoCreateInstance.OLE32(0049BA74,00000000,00000001,0049B774,?,00000000,0045717F), ref: 00456E1A
                                                                                                                                                                                                            • CoCreateInstance.OLE32(0049B764,00000000,00000001,0049B774,?,00000000,0045717F), ref: 00456E40
                                                                                                                                                                                                            • SysFreeString.OLEAUT32(00000000), ref: 00456FF7
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • IPersistFile::Save, xrefs: 004570FE
                                                                                                                                                                                                            • %ProgramFiles(x86)%\, xrefs: 00456ECA
                                                                                                                                                                                                            • CoCreateInstance, xrefs: 00456E4B
                                                                                                                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall), xrefs: 0045702E
                                                                                                                                                                                                            • IShellLink::QueryInterface(IID_IPropertyStore), xrefs: 00456F59
                                                                                                                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_ID), xrefs: 00456FDC
                                                                                                                                                                                                            • {pf32}\, xrefs: 00456EBA
                                                                                                                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning), xrefs: 00456F8D
                                                                                                                                                                                                            • IPropertyStore::Commit, xrefs: 0045707F
                                                                                                                                                                                                            • IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption), xrefs: 00457066
                                                                                                                                                                                                            • IShellLink::QueryInterface(IID_IPersistFile), xrefs: 004570A0
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateInstance$FreeString
                                                                                                                                                                                                            • String ID: %ProgramFiles(x86)%\$CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)$IPropertyStore::SetValue(PKEY_AppUserModel_ID)$IPropertyStore::SetValue(PKEY_AppUserModel_PreventPinning)$IPropertyStore::SetValue(PKEY_AppUserModel_StartPinOption)$IShellLink::QueryInterface(IID_IPersistFile)$IShellLink::QueryInterface(IID_IPropertyStore)${pf32}\
                                                                                                                                                                                                            • API String ID: 308859552-2363233914
                                                                                                                                                                                                            • Opcode ID: 93e5a5c0d7a20504b98ac55000e6e3f3033edd77299ae39f481bc7526604c0d6
                                                                                                                                                                                                            • Instruction ID: 02ec3099c1e013a4d2a6014e0405d8002507ef7a0ca247d1a979c15f6e32810c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 93e5a5c0d7a20504b98ac55000e6e3f3033edd77299ae39f481bc7526604c0d6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 57B18071A04204AFDB11DFA9D845B9E7BF8AF08706F5440B6F904E7262DB38DD48CB69
                                                                                                                                                                                                            Function 00473AA0 Relevance: 23.1, APIs: 4, Strings: 9, Instructions: 341COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78
                                                                                                                                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00473C58
                                                                                                                                                                                                            • SHChangeNotify.SHELL32 ref: 00473D73
                                                                                                                                                                                                            • SHChangeNotify.SHELL32 ref: 00473D89
                                                                                                                                                                                                            • SHChangeNotify.SHELL32 ref: 00473DAE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
                                                                                                                                                                                                            • String ID: .lnk$.pif$.url$Creating the icon.$Desktop.ini$Dest filename: %s$Successfully created the icon.$target.lnk${group}\
                                                                                                                                                                                                            • API String ID: 971782779-2902529204
                                                                                                                                                                                                            • Opcode ID: 0a35e12aea509a7e54ae466e3ca9dbe00f98180b4d7421f3134f165c055a7807
                                                                                                                                                                                                            • Instruction ID: 9b31a6288a8d0ad81c732a29d19026b8086b57763a6276d7ac4447936d78ea7d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a35e12aea509a7e54ae466e3ca9dbe00f98180b4d7421f3134f165c055a7807
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EBD11374A00148ABDB11DFA9D582BDDBBF4AF08305F50806AF804B7392D778AE45DB69
                                                                                                                                                                                                            Function 00499CB8 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 251synchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • ShowWindow.USER32(?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000,?,0049A407,00000000,0049A411,?,00000000), ref: 00499D3B
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000,?,0049A407,00000000), ref: 00499D4E
                                                                                                                                                                                                            • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000,00000000), ref: 00499D5E
                                                                                                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050), ref: 00499D7F
                                                                                                                                                                                                            • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,0049A050,?,?,00000000,?,00000000), ref: 00499D8F
                                                                                                                                                                                                              • Part of subcall function 0042D89C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D92A,?,?,?,00000001,?,0045681A,00000000,00456882), ref: 0042D8D1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
                                                                                                                                                                                                            • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                                                                                                                                                                                            • API String ID: 2000705611-3672972446
                                                                                                                                                                                                            • Opcode ID: 925e690ebd037e7923dbbcefbad47493d482e32af6c3f83e886948a8d640b5b4
                                                                                                                                                                                                            • Instruction ID: 24b702ce4587ab849973673670b37801b9677cadbfb3bf4f1077f7c12e9ac28d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 925e690ebd037e7923dbbcefbad47493d482e32af6c3f83e886948a8d640b5b4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5591C430A04205AFDF11EF69C852BAEBBB4EB49304F51447AF500AB792C63DAC05CB6D
                                                                                                                                                                                                            Function 0045AED4 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,0045B190,?,?,?,?,?,00000006,?,00000000,00499145,?,00000000,004991E8), ref: 0045B042
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                            • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                                                                                                                                                                            • API String ID: 1452528299-3112430753
                                                                                                                                                                                                            • Opcode ID: 40b9f5196d712795c6723aabbf18e3bcf6ec9952ad21e77cd65b077e1d7ea276
                                                                                                                                                                                                            • Instruction ID: 1722664f16d817fc675012576ec738190a07adef69c32437d7057340c1fc2b4b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40b9f5196d712795c6723aabbf18e3bcf6ec9952ad21e77cd65b077e1d7ea276
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3271AE307006445BDB01EB6A88927AE7BA5EF49755F50846BFC01EB383CB7C8E49879D
                                                                                                                                                                                                            Function 0041B7FC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041B813
                                                                                                                                                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0041B81D
                                                                                                                                                                                                            • GetObjectA.GDI32 ref: 0041B82F
                                                                                                                                                                                                            • CreateBitmap.GDI32 ref: 0041B846
                                                                                                                                                                                                            • GetDC.USER32 ref: 0041B852
                                                                                                                                                                                                            • CreateCompatibleBitmap.GDI32 ref: 0041B87F
                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041B8A5
                                                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B8C0
                                                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B8CF
                                                                                                                                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B8FB
                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B909
                                                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B917
                                                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B920
                                                                                                                                                                                                            • DeleteDC.GDI32(?), ref: 0041B929
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 644427674-0
                                                                                                                                                                                                            • Opcode ID: 545e798d89bfd874ee53134500b0446245b84f374f10eb2ff5fc30c629433f8f
                                                                                                                                                                                                            • Instruction ID: 5456327a1e321ce8c2b8187df1c916a831ebe275c46a8a968a344784d91ca00b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 545e798d89bfd874ee53134500b0446245b84f374f10eb2ff5fc30c629433f8f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC419F71E44609ABDB10EAE9C845FEFB7BCEB08704F104466F614F7281D7786D418BA8
                                                                                                                                                                                                            Function 00454FDC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,?,00000000,?,00000000,00455275,?,0045B366,00000003,00000000,00000000,004552AC), ref: 004550F5
                                                                                                                                                                                                              • Part of subcall function 0042ED18: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37
                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,00000000,?,00000004,00000000,004551BF,?,0045B366,00000000,00000000,?,00000000,?,00000000), ref: 00455179
                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(0045B366,00000000,00000000,00000000,?,00000004,00000000,004551BF,?,0045B366,00000000,00000000,?,00000000,?,00000000), ref: 004551A8
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0045504C
                                                                                                                                                                                                            • RegOpenKeyEx, xrefs: 00455078
                                                                                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00455013
                                                                                                                                                                                                            • , xrefs: 00455066
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: QueryValue$FormatMessageOpen
                                                                                                                                                                                                            • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                                                                                                                            • API String ID: 2812809588-1577016196
                                                                                                                                                                                                            • Opcode ID: 2751d3f1861e418f081ddf6454286212c6d932ba5dee6d04c203c687234d9735
                                                                                                                                                                                                            • Instruction ID: 06452bf81ef06fa34888f2ab1cc7b3841a1100f4c60e90cd60a05f06e497d7d6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2751d3f1861e418f081ddf6454286212c6d932ba5dee6d04c203c687234d9735
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0913371D04608ABDB10DFA5C952BEEB7F8EB08305F50406BF904F7282D6799E088B69
                                                                                                                                                                                                            Function 00459C54 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00459B60: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459C9D,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459BAD
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459CFB
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459D65
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459DCC
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00459D7F
                                                                                                                                                                                                            • v4.0.30319, xrefs: 00459CED
                                                                                                                                                                                                            • .NET Framework version %s not found, xrefs: 00459E05
                                                                                                                                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00459CAE
                                                                                                                                                                                                            • .NET Framework not found, xrefs: 00459E19
                                                                                                                                                                                                            • v1.1.4322, xrefs: 00459DBE
                                                                                                                                                                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00459D18
                                                                                                                                                                                                            • v2.0.50727, xrefs: 00459D57
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Close$Open
                                                                                                                                                                                                            • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                                                                                                                                                                            • API String ID: 2976201327-446240816
                                                                                                                                                                                                            • Opcode ID: d7b66496af80865dd82b06e094c253fcc243f9f157f2f8bd9145884dc98d1b31
                                                                                                                                                                                                            • Instruction ID: 13a12a4b366685baa8d6a2e304724611cbcec49206d2204e0959de5a5d6478e2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d7b66496af80865dd82b06e094c253fcc243f9f157f2f8bd9145884dc98d1b31
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6451B235A04104EFCB04DB66D862BEE77BADB49305F1844BBA941D7382E7799E0D8B18
                                                                                                                                                                                                            Function 00459240 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 00459277
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00459293
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004592A1
                                                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(?), ref: 004592B2
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 004592F9
                                                                                                                                                                                                            • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00459315
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Helper process exited., xrefs: 004592C1
                                                                                                                                                                                                            • Helper process exited, but failed to get exit code., xrefs: 004592EB
                                                                                                                                                                                                            • Helper isn't responding; killing it., xrefs: 00459283
                                                                                                                                                                                                            • Stopping 64-bit helper process. (PID: %u), xrefs: 00459269
                                                                                                                                                                                                            • Helper process exited with failure code: 0x%x, xrefs: 004592DF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                                                                                                                                                                            • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                                                                                                                                                                            • API String ID: 3355656108-1243109208
                                                                                                                                                                                                            • Opcode ID: 230b5ddc3981dfca21d5636881bab7241834d3e40b9cb852e8f413207b64b114
                                                                                                                                                                                                            • Instruction ID: 475b633a8f1197f12a32b7740e8dffccf3703e2e74a756bc360da45c31bde27f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 230b5ddc3981dfca21d5636881bab7241834d3e40b9cb852e8f413207b64b114
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B215C70604700EAC720EA7DC486B5B77D49F49305F048D2EB899DB693DA7CEC489B2A
                                                                                                                                                                                                            Function 00454C90 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E234: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042E260
                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00454E67,?,00000000,00454F2B), ref: 00454DB7
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00454E67,?,00000000,00454F2B), ref: 00454EF3
                                                                                                                                                                                                              • Part of subcall function 0042ED18: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004539D7,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042ED37
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454CCF
                                                                                                                                                                                                            • , xrefs: 00454D19
                                                                                                                                                                                                            • RegCreateKeyEx, xrefs: 00454D2B
                                                                                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00454CFF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFormatMessageQueryValue
                                                                                                                                                                                                            • String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                                                                                                                                                                            • API String ID: 2481121983-1280779767
                                                                                                                                                                                                            • Opcode ID: 6ec3d0b23e1f48f3aad8fef16a1fab9caf92b4aa27bd1cc5b711479c94c09124
                                                                                                                                                                                                            • Instruction ID: 61cb1c98edcfe528623c145d9993427f2b00fea00e486b8f0244815ce8f04fab
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ec3d0b23e1f48f3aad8fef16a1fab9caf92b4aa27bd1cc5b711479c94c09124
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18810175900209ABDB01DFD5C942BDEB7B8FB49709F50442AF900FB282D7789A49CB69
                                                                                                                                                                                                            Function 00498538 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00454024: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454113
                                                                                                                                                                                                              • Part of subcall function 00454024: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454123
                                                                                                                                                                                                            • CopyFileA.KERNEL32 ref: 004985B5
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,00498709), ref: 004985D6
                                                                                                                                                                                                            • CreateWindowExA.USER32(00000000,STATIC,00498718,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 004985FD
                                                                                                                                                                                                            • SetWindowLongA.USER32(?,000000FC,00497D90,00000000,STATIC,00498718,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000,00000000), ref: 00498610
                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000,STATIC,00498718), ref: 00498640
                                                                                                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC), ref: 004986B4
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000), ref: 004986C0
                                                                                                                                                                                                              • Part of subcall function 00454498: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045457F
                                                                                                                                                                                                            • DestroyWindow.USER32(?,004986E3,00000000,00000000,00000000,00000000,00000000,00000097,00000000,004986DC,?,?,000000FC,00497D90,00000000,STATIC), ref: 004986D6
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$File$CloseCreateHandle$AttributesCopyDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                                                                                                                                                                            • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                                                                                                                                                                            • API String ID: 1549857992-2312673372
                                                                                                                                                                                                            • Opcode ID: 33f0aa1e6c66ba33127d106aa60bf689e86794d53dcbda2b1297c66d72ebb552
                                                                                                                                                                                                            • Instruction ID: 19a9ac76a87cbdbac9fefc72f4bc8d66673aab5a8439699f4ab81f25108c8d39
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33f0aa1e6c66ba33127d106aa60bf689e86794d53dcbda2b1297c66d72ebb552
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78414771A54204AFDF00EBA5CC42F9E7BF8EB09714F51457AF500FB291DA799E048B58
                                                                                                                                                                                                            Function 0042E868 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E96D,?,00000000,0047F9E0,00000000), ref: 0042E891
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E897
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E96D,?,00000000,0047F9E0,00000000), ref: 0042E8E5
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressCloseHandleModuleProc
                                                                                                                                                                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll$hE
                                                                                                                                                                                                            • API String ID: 4190037839-2100363064
                                                                                                                                                                                                            • Opcode ID: f58b6d4dbbec461593ba7b64236c63f951e922bfac5eb23f31135b9ac24a6388
                                                                                                                                                                                                            • Instruction ID: 343416b7bfae85f45959abe8e21461bd4048f30ead5244c3b453dfa896624356
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f58b6d4dbbec461593ba7b64236c63f951e922bfac5eb23f31135b9ac24a6388
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06214470B00229EBDB50EAA7DC42BAE77A8EB44314F904477A500E7281DB7C9E45DB1C
                                                                                                                                                                                                            Function 004635E4 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetActiveWindow.USER32 ref: 004635F0
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 00463604
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00463611
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0046361E
                                                                                                                                                                                                            • GetWindowRect.USER32(?,00000000), ref: 0046366A
                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004636A8
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                                                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                                                                                                                            • API String ID: 2610873146-3407710046
                                                                                                                                                                                                            • Opcode ID: 5d54fb813e64eee8d2e1fd1d869d3f84fcc541412d8aec38238ce219d7c6ea2a
                                                                                                                                                                                                            • Instruction ID: 23225dc964baf5770c03b9449d190f9fd0809e25ab0c2f23061680c52a7637e8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5d54fb813e64eee8d2e1fd1d869d3f84fcc541412d8aec38238ce219d7c6ea2a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AE21C2B17006446BD320EE68CC45F3B76D9EB84B05F09452EF944DB3C1EA78DD004B5A
                                                                                                                                                                                                            Function 0042F614 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetActiveWindow.USER32 ref: 0042F620
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F634
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F641
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F64E
                                                                                                                                                                                                            • GetWindowRect.USER32(?,00000000), ref: 0042F69A
                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F6D8
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$AddressProc$ActiveHandleModuleRect
                                                                                                                                                                                                            • String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
                                                                                                                                                                                                            • API String ID: 2610873146-3407710046
                                                                                                                                                                                                            • Opcode ID: 9e18f176ca51f207d9f48e4ded0b32e3445f45e6b18c2f86467d84d44384674f
                                                                                                                                                                                                            • Instruction ID: 8e363f887434259cf3ecd6bfca6d9ac669349ab4594bae960fb014309ef79425
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e18f176ca51f207d9f48e4ded0b32e3445f45e6b18c2f86467d84d44384674f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC21C2B27006146FD600EA68DC85F3B72A9EB84704F89463AF944DB391DA78DC098B59
                                                                                                                                                                                                            Function 00459418 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,004595F7,?,00000000,0045965A,?,?,00000000,00000000), ref: 00459475
                                                                                                                                                                                                            • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000,00000001,00000000,00000000,00000000,004595F7), ref: 004594D2
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000,00000001,00000000,00000000,00000000,004595F7), ref: 004594DF
                                                                                                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF,?,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C), ref: 0045952B
                                                                                                                                                                                                            • GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00459565,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000), ref: 00459551
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000000,00000001,00459565,?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0045958C,?,00000000), ref: 00459558
                                                                                                                                                                                                              • Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                                                                                                                                                                            • String ID: CreateEvent$TransactNamedPipe
                                                                                                                                                                                                            • API String ID: 2182916169-3012584893
                                                                                                                                                                                                            • Opcode ID: 8c882674e4e7badbb1dce3e2dfa1fdcbe7e98f1f80990b5ca878147d0da0e0cb
                                                                                                                                                                                                            • Instruction ID: 77fbb71d8e7aac064b87aac98c1c55f9fcb2258c1561d492b861e589c0c855dd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c882674e4e7badbb1dce3e2dfa1fdcbe7e98f1f80990b5ca878147d0da0e0cb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CF418B71A00208FFDB11DF99C981F9EB7F9EB48710F5040AAF904E7282D6789E54CB68
                                                                                                                                                                                                            Function 004574BC Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,00457621,?,?,00000031,?), ref: 004574E4
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 004574EA
                                                                                                                                                                                                            • LoadTypeLib.OLEAUT32(00000000,?), ref: 00457537
                                                                                                                                                                                                              • Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressErrorHandleLastLoadModuleProcType
                                                                                                                                                                                                            • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                                                                                                                                                                            • API String ID: 1914119943-2711329623
                                                                                                                                                                                                            • Opcode ID: b2a57cb5d0d4215bed9739cbf0b7be67a86da8044cbf193a82d044f72dd204c0
                                                                                                                                                                                                            • Instruction ID: 559faf3bdf9cccbe36ab56d48fd8e4aa4276a02661c60707683b87f46ce48c1c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b2a57cb5d0d4215bed9739cbf0b7be67a86da8044cbf193a82d044f72dd204c0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8131B471A04604BFCB01EFAADC01D5FB7BEEB8975571044B6BD04D3652EA38DD04CA68
                                                                                                                                                                                                            Function 004171D0 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 375863564-0
                                                                                                                                                                                                            • Opcode ID: 990d97cb70453dddf228ae22806dd100ede861f0f9d68864237969aa7ab350c2
                                                                                                                                                                                                            • Instruction ID: 6654575de22a121332528345891e4d9aada139d791074539051cb87a9fd886f5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 990d97cb70453dddf228ae22806dd100ede861f0f9d68864237969aa7ab350c2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30515D712086455FDB50EF69C8C0B9B7BE8AF48314F1455AAFD588B286C738EC81CB99
                                                                                                                                                                                                            Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
                                                                                                                                                                                                            • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
                                                                                                                                                                                                            • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
                                                                                                                                                                                                            • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
                                                                                                                                                                                                            • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
                                                                                                                                                                                                            • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
                                                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
                                                                                                                                                                                                            • GetFileType.KERNEL32(?,000000F5), ref: 00404C11
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
                                                                                                                                                                                                            • GetLastError.KERNEL32(000000F5), ref: 00404C46
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1694776339-0
                                                                                                                                                                                                            • Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                                                                                                                            • Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D
                                                                                                                                                                                                            Function 00422638 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemMenu.USER32(00000000,00000000), ref: 00422683
                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 004226A1
                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226AE
                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226BB
                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004226C8
                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004226D5
                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004226E2
                                                                                                                                                                                                            • DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004226EF
                                                                                                                                                                                                            • EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0042270D
                                                                                                                                                                                                            • EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00422729
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Menu$Delete$EnableItem$System
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3985193851-0
                                                                                                                                                                                                            • Opcode ID: 28c3c26aa58a7b1d0b737a17757400c93c751d32761aa9437bbdc0a385d65993
                                                                                                                                                                                                            • Instruction ID: df9c0873c136ddd24b8aa988775969986c1613bec62327c4069b14a2c43cb384
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 28c3c26aa58a7b1d0b737a17757400c93c751d32761aa9437bbdc0a385d65993
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F2156743847047AE721E724CD8BF9B7BD89B54748F144069B6487F2D3C6FCAA40869C
                                                                                                                                                                                                            Function 00462174 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SHGetMalloc.SHELL32(?), ref: 004621AF
                                                                                                                                                                                                            • GetActiveWindow.USER32(?,?,?,?,?,00000000,00462303), ref: 00462213
                                                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 00462227
                                                                                                                                                                                                            • SHBrowseForFolder.SHELL32(?), ref: 0046223E
                                                                                                                                                                                                            • CoUninitialize.OLE32(0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462253
                                                                                                                                                                                                            • SetActiveWindow.USER32(?,0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462269
                                                                                                                                                                                                            • SetActiveWindow.USER32(?,?,0046227F,00000000,?,?,?,?,?,00000000,00462303), ref: 00462272
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
                                                                                                                                                                                                            • String ID: A
                                                                                                                                                                                                            • API String ID: 2684663990-3554254475
                                                                                                                                                                                                            • Opcode ID: caefdfe045defb9a034f2c4a917009fdef53ece79d7542ea0497d69e424cd409
                                                                                                                                                                                                            • Instruction ID: 1e82777cc352b96db12449cf8796706bfa71e84f11e11660080683620fe74db3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: caefdfe045defb9a034f2c4a917009fdef53ece79d7542ea0497d69e424cd409
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E23130B0E04208AFDB00EFB5D945ADEBBF8EB09304F51447AF914E7251E7789A04CB59
                                                                                                                                                                                                            Function 00473950 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000,?,00473C6D,?,?,00000000,00473EF0), ref: 00473974
                                                                                                                                                                                                              • Part of subcall function 0042D1E4: GetPrivateProfileStringA.KERNEL32 ref: 0042D25A
                                                                                                                                                                                                              • Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000,?,00473C6D), ref: 004739EB
                                                                                                                                                                                                            • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00473A11,?,?,?,00000008,00000000,00000000,00000000), ref: 004739F1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
                                                                                                                                                                                                            • String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
                                                                                                                                                                                                            • API String ID: 884541143-1710247218
                                                                                                                                                                                                            • Opcode ID: c5ee601f3e9953c735d8bf0a71158fe3e64be6cf92b19d5fab08f93ca351b12b
                                                                                                                                                                                                            • Instruction ID: bfb262a57c212aacfed1a05d1298e64af55acb3d3cb9d0523fd91374b550827c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5ee601f3e9953c735d8bf0a71158fe3e64be6cf92b19d5fab08f93ca351b12b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F11D3B07006047BD701EA698C83AAE73ACDB48715F50813BB844A72C1DB3C9F02961D
                                                                                                                                                                                                            Function 0045DAB0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,inflateInit_), ref: 0045DAB9
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,inflate), ref: 0045DAC9
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,inflateEnd), ref: 0045DAD9
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,inflateReset), ref: 0045DAE9
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                                                                            • String ID: inflate$inflateEnd$inflateInit_$inflateReset
                                                                                                                                                                                                            • API String ID: 190572456-3516654456
                                                                                                                                                                                                            • Opcode ID: 5abc5c05f731a0f84057b652f47985810eed84a0374322df604e0c431af132d1
                                                                                                                                                                                                            • Instruction ID: 9991d33b7b3f44c4a287d390de66c621eb38f0a325e11cae05c3c9c0ae6f74c7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5abc5c05f731a0f84057b652f47985810eed84a0374322df604e0c431af132d1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED016CB0D00710DAE324DF335C827223AA79B94306F1584376B4853266D3FC184DCE2D
                                                                                                                                                                                                            Function 0041AD2C Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041AE09
                                                                                                                                                                                                            • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041AE43
                                                                                                                                                                                                            • SetBkColor.GDI32(?,?), ref: 0041AE58
                                                                                                                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AEA2
                                                                                                                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AEAD
                                                                                                                                                                                                            • SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AEBD
                                                                                                                                                                                                            • StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AEFC
                                                                                                                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0041AF06
                                                                                                                                                                                                            • SetBkColor.GDI32(00000000,?), ref: 0041AF13
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Color$StretchText
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2984075790-0
                                                                                                                                                                                                            • Opcode ID: b2e79564dac12e93c58a92479de6674996e515196b856df7b31fa3c4552ba36b
                                                                                                                                                                                                            • Instruction ID: 4ec4bb7d7ecd06ab75a809c898bbb7394ceff3bd51f581de865bbf99f3132505
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b2e79564dac12e93c58a92479de6674996e515196b856df7b31fa3c4552ba36b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E761A6B5A01605EFC740EFADE985E9AB7F9EF08318B108566F518DB251C734ED408F98
                                                                                                                                                                                                            Function 004588C0 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00458A74,?, /s ",?,regsvr32.exe",?,00458A74), ref: 004589E6
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseDirectoryHandleSystem
                                                                                                                                                                                                            • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                                                                                                                                                                            • API String ID: 2051275411-1862435767
                                                                                                                                                                                                            • Opcode ID: 155819c64c430fb45d55460a0d10478e2dbda3fe00918e678cc052cf01514edf
                                                                                                                                                                                                            • Instruction ID: 5e566bfdb395c8031f807e0e6dfcda5b961088fbae7d5a2ae3caad0b9f5d9a1a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 155819c64c430fb45d55460a0d10478e2dbda3fe00918e678cc052cf01514edf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 94410770A003486BDB10EFE5C842B9DB7F9AF45305F50407FA914BB296DF789E098B59
                                                                                                                                                                                                            Function 0044D750 Relevance: 13.6, APIs: 9, Instructions: 90COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OffsetRect.USER32(?,00000001,00000001), ref: 0044D781
                                                                                                                                                                                                            • GetSysColor.USER32(00000014), ref: 0044D788
                                                                                                                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044D7A0
                                                                                                                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D7C9
                                                                                                                                                                                                            • OffsetRect.USER32(?,000000FF,000000FF), ref: 0044D7D3
                                                                                                                                                                                                            • GetSysColor.USER32(00000010), ref: 0044D7DA
                                                                                                                                                                                                            • SetTextColor.GDI32(00000000,00000000), ref: 0044D7F2
                                                                                                                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D81B
                                                                                                                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000), ref: 0044D846
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Text$Color$Draw$OffsetRect
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1005981011-0
                                                                                                                                                                                                            • Opcode ID: c732eae71167dd8aa6631ccdc206b1dcbb1a1316a8d8e9d7e0f026f0b59abdf9
                                                                                                                                                                                                            • Instruction ID: 83f763003a0c4173e52025d9049416b14570b2719a823760897ab970dc451d42
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c732eae71167dd8aa6631ccdc206b1dcbb1a1316a8d8e9d7e0f026f0b59abdf9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B221ACB46015047FC710FB2ACD8AE8AB7DC9F59319B00857BB918EB3A3C67CDE444669
                                                                                                                                                                                                            Function 00497DDC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00451070: SetEndOfFile.KERNEL32(?,?,0045CB3E,00000000,0045CCC9,?,00000000,00000002,00000002), ref: 00451077
                                                                                                                                                                                                              • Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB
                                                                                                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00497E6D
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 00497E81
                                                                                                                                                                                                            • SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00497E9B
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EA7
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EAD
                                                                                                                                                                                                            • Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00497EC0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Deleting Uninstall data files., xrefs: 00497DE3
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
                                                                                                                                                                                                            • String ID: Deleting Uninstall data files.
                                                                                                                                                                                                            • API String ID: 1570157960-2568741658
                                                                                                                                                                                                            • Opcode ID: 76f4a073d4d431fcb8e24e0d71c40f55804fe31760389f23b01cbf0fd8bd04be
                                                                                                                                                                                                            • Instruction ID: 7989a93d4f85e89f9f4a8d52eef74e044f35551c753dc98037dc67a034be62a8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 76f4a073d4d431fcb8e24e0d71c40f55804fe31760389f23b01cbf0fd8bd04be
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78213270718204BEEF10EBB6AC42B5737A8E755758F15497BF500961E2EA7C5C048B1D
                                                                                                                                                                                                            Function 00471058 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471155,?,?,?,?,00000000), ref: 004710BF
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,00471155), ref: 004710D6
                                                                                                                                                                                                            • AddFontResourceA.GDI32(00000000), ref: 004710F3
                                                                                                                                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 00471107
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Failed to set value in Fonts registry key., xrefs: 004710C8
                                                                                                                                                                                                            • AddFontResource, xrefs: 00471111
                                                                                                                                                                                                            • Failed to open Fonts registry key., xrefs: 004710DD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFontMessageNotifyOpenResourceSendValue
                                                                                                                                                                                                            • String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
                                                                                                                                                                                                            • API String ID: 955540645-649663873
                                                                                                                                                                                                            • Opcode ID: a737914a74f1a278ccb7df500bee1ba43775c90168331fb9ee9e3c5dcdaf4d95
                                                                                                                                                                                                            • Instruction ID: e530b8863bd5b0940b7b47d45e6c2b04f0dd933a31ed90210a2cbfb1d5868c86
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a737914a74f1a278ccb7df500bee1ba43775c90168331fb9ee9e3c5dcdaf4d95
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3821B27074024477D710EA6A9C42F9A77ACCB09708F60C43BBA04EB3D2DA7CDE05862D
                                                                                                                                                                                                            Function 00463A24 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00416860: GetClassInfoA.USER32(00400000,?,?), ref: 004168CF
                                                                                                                                                                                                              • Part of subcall function 00416860: UnregisterClassA.USER32(?,00400000), ref: 004168FB
                                                                                                                                                                                                              • Part of subcall function 00416860: RegisterClassA.USER32(?), ref: 0041691E
                                                                                                                                                                                                            • GetVersion.KERNEL32 ref: 00463A54
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 00463A92
                                                                                                                                                                                                            • SHGetFileInfo.SHELL32(00463B30,00000000,?,00000160,00004011), ref: 00463AAF
                                                                                                                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00463ACD
                                                                                                                                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00463B30,00000000,?,00000160,00004011), ref: 00463AD3
                                                                                                                                                                                                            • SetCursor.USER32(?,00463B13,00007F02,00463B30,00000000,?,00000160,00004011), ref: 00463B06
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
                                                                                                                                                                                                            • String ID: Explorer
                                                                                                                                                                                                            • API String ID: 2594429197-512347832
                                                                                                                                                                                                            • Opcode ID: 65d5975a7585ee049415f6ae244e5feecb2e1e5ddbe746441fb4960a5f53db61
                                                                                                                                                                                                            • Instruction ID: 0956d246c88e4b13c617490cc10e92cdb10fa67267cb1644ec11604dcab5a564
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65d5975a7585ee049415f6ae244e5feecb2e1e5ddbe746441fb4960a5f53db61
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A212C307403446AE710BFB58C47F9A76989B08708F5000BFBA09EE1C3EABD9D4586AD
                                                                                                                                                                                                            Function 004795B8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02317A1C,?,?,?,02317A1C,0047977C,00000000,0047989A,?,?,?,?), ref: 004795D1
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004795D7
                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02317A1C,?,?,?,02317A1C,0047977C,00000000,0047989A,?,?,?,?), ref: 004795EA
                                                                                                                                                                                                            • CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02317A1C,?,?,?,02317A1C), ref: 00479614
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,02317A1C,0047977C,00000000,0047989A,?,?,?,?), ref: 00479632
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileHandle$AddressAttributesCloseCreateModuleProc
                                                                                                                                                                                                            • String ID: GetFinalPathNameByHandleA$kernel32.dll
                                                                                                                                                                                                            • API String ID: 2704155762-2318956294
                                                                                                                                                                                                            • Opcode ID: 1947a9aaa15eabe4036a12787753409495eb16ca8dbead4cdc7f2695ecfe1c22
                                                                                                                                                                                                            • Instruction ID: 19ddb68189d16dccfde8b10573e35333770f7cebea86a77b7f1be6907437da3a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1947a9aaa15eabe4036a12787753409495eb16ca8dbead4cdc7f2695ecfe1c22
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC01D26034470436E52131BA4C86FBB248C8B50768F148237BA1CEA2E2EDAD9E0601AE
                                                                                                                                                                                                            Function 0045A608 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,0045A78A,?,00000000,00000000,00000000,?,00000006,?,00000000,00499145,?,00000000,004991E8), ref: 0045A6CE
                                                                                                                                                                                                              • Part of subcall function 00454B5C: FindClose.KERNEL32(000000FF,00454C52), ref: 00454C41
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0045A743
                                                                                                                                                                                                            • Failed to delete directory (%d). Will retry later., xrefs: 0045A6E7
                                                                                                                                                                                                            • Failed to strip read-only attribute., xrefs: 0045A69C
                                                                                                                                                                                                            • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0045A6A8
                                                                                                                                                                                                            • Stripped read-only attribute., xrefs: 0045A690
                                                                                                                                                                                                            • Failed to delete directory (%d)., xrefs: 0045A764
                                                                                                                                                                                                            • Deleting directory: %s, xrefs: 0045A657
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseErrorFindLast
                                                                                                                                                                                                            • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                                                                                                                                                                            • API String ID: 754982922-1448842058
                                                                                                                                                                                                            • Opcode ID: e8aa9ef7f824b2a061c16c0988bae792ae65a83e1ee41ee0e1e8b20d1f830e97
                                                                                                                                                                                                            • Instruction ID: 6800a92dfaec35f14ad088af188abd42280c19cea7490fe80134e7d3278dcbe3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e8aa9ef7f824b2a061c16c0988bae792ae65a83e1ee41ee0e1e8b20d1f830e97
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 62418630A002485ACB10EB6988017AE7AF59B4D306F55867FAC11A7393DB7CCE1D875B
                                                                                                                                                                                                            Function 004232A0 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCapture.USER32 ref: 004232F4
                                                                                                                                                                                                            • GetCapture.USER32 ref: 00423303
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 00423309
                                                                                                                                                                                                            • ReleaseCapture.USER32(00000000,0000001F,00000000,00000000), ref: 0042330E
                                                                                                                                                                                                            • GetActiveWindow.USER32(?,?,?,?,?,?,?,?,?,00000000,0000001F,00000000,00000000), ref: 0042331D
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 0042339C
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 00423400
                                                                                                                                                                                                            • GetActiveWindow.USER32(00000000,0000B001,00000000,00000000,00000000,0000B000,00000000,00000000,00000000,00423433), ref: 0042340F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CaptureMessageSend$ActiveWindow$Release
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 862346643-0
                                                                                                                                                                                                            • Opcode ID: d2dc62145a020e54a0683f837acecb26501ac7fae3216bd7808a05aa4d6a43e8
                                                                                                                                                                                                            • Instruction ID: 3a9af59dda1f98e95100fec3f153a7acb7f05633bd4cd2eb2e4992da2b7770c9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d2dc62145a020e54a0683f837acecb26501ac7fae3216bd7808a05aa4d6a43e8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68414170B10258AFDB10EFAAD942B9DB7F1AF44704F5140BAE404AB292DB7C9F41CB18
                                                                                                                                                                                                            Function 004298D0 Relevance: 12.1, APIs: 8, Instructions: 62COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetDC.USER32 ref: 004298DA
                                                                                                                                                                                                            • GetTextMetricsA.GDI32 ref: 004298E3
                                                                                                                                                                                                              • Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7
                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 004298F2
                                                                                                                                                                                                            • GetTextMetricsA.GDI32 ref: 004298FF
                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00429906
                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0042990E
                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000006), ref: 00429933
                                                                                                                                                                                                            • GetSystemMetrics.USER32(00000006), ref: 0042994D
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1583807278-0
                                                                                                                                                                                                            • Opcode ID: 493c3e02d1035430593376a4cfe0bac28c29019347665ee68c3eba71a2dbb902
                                                                                                                                                                                                            • Instruction ID: 0ef879b540a67ceb128a5e1141d84f2d1524799c58b88ee5a2ee57f477153a9f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 493c3e02d1035430593376a4cfe0bac28c29019347665ee68c3eba71a2dbb902
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8401A19170971127F310667A9CC2B6F6688DB54368F44053EFA86963E3D96C8C81876E
                                                                                                                                                                                                            Function 0041E274 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetDC.USER32 ref: 0041E277
                                                                                                                                                                                                            • GetDeviceCaps.GDI32 ref: 0041E281
                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041E28E
                                                                                                                                                                                                            • MulDiv.KERNEL32(00000008,00000060,00000048,00000000,0000005A,00000000,?,004194A9,0049A4C6), ref: 0041E29D
                                                                                                                                                                                                            • GetStockObject.GDI32(00000007), ref: 0041E2AB
                                                                                                                                                                                                            • GetStockObject.GDI32(00000005), ref: 0041E2B7
                                                                                                                                                                                                            • GetStockObject.GDI32(0000000D), ref: 0041E2C3
                                                                                                                                                                                                            • LoadIconA.USER32(00000000,00007F00), ref: 0041E2D4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ObjectStock$CapsDeviceIconLoadRelease
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 225703358-0
                                                                                                                                                                                                            • Opcode ID: db53187b583683c3da25eb47fc51b38c63e1255722fbf2352793706f85574c6b
                                                                                                                                                                                                            • Instruction ID: 718266ba1944efb5b46721f14e799226cd24d8dfc19287898d5783b558d94fa9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: db53187b583683c3da25eb47fc51b38c63e1255722fbf2352793706f85574c6b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1111FB70A453015AE340BFA69D52BAA3691D724709F00813BF608EF3D2DB7D5C809BAD
                                                                                                                                                                                                            Function 00463E34 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 00463F38
                                                                                                                                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,00463FCD), ref: 00463F3E
                                                                                                                                                                                                            • SetCursor.USER32(?,00463FB5,00007F02,00000000,00463FCD), ref: 00463FA8
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Cursor$Load
                                                                                                                                                                                                            • String ID: $ $Internal error: Item already expanding
                                                                                                                                                                                                            • API String ID: 1675784387-1948079669
                                                                                                                                                                                                            • Opcode ID: 2e72c9ebfc19e7403a65945d55937a119cc11725f60109d9f94943b84faf3f65
                                                                                                                                                                                                            • Instruction ID: aa82ab3995de3935e6727d947cb2bd0e3876d59c6d9623ce98a17a39b04bf081
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2e72c9ebfc19e7403a65945d55937a119cc11725f60109d9f94943b84faf3f65
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 67B1E230A00244DFDB14DF65C549B9EBBF1AF45304F1584AAE8459B392E778EE84CB0A
                                                                                                                                                                                                            Function 00454498 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 225COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0045457F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: PrivateProfileStringWrite
                                                                                                                                                                                                            • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                                                                                                                                                                            • API String ID: 390214022-3304407042
                                                                                                                                                                                                            • Opcode ID: 7fc08df52904c59b3176bd425c815c443ddc94d3e7b0bfcf8c3a045116732771
                                                                                                                                                                                                            • Instruction ID: e87d0749b1697b84d3b9cc82c23e20e51564d8fa8ce324392089b518a873d649
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7fc08df52904c59b3176bd425c815c443ddc94d3e7b0bfcf8c3a045116732771
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B8913334E001499BDB01EFA5D882BDEB7B5EF49309F508467E900BB292D77C9E49CB58
                                                                                                                                                                                                            Function 00477E98 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetClassInfoW.USER32 ref: 00477EF1
                                                                                                                                                                                                            • SetWindowLongW.USER32(00000000,000000FC,Function_00077E4C), ref: 00477F18
                                                                                                                                                                                                            • GetACP.KERNEL32(00000000,00478130,?,00000000,0047815A), ref: 00477F55
                                                                                                                                                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00477F9B
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ClassInfoLongMessageSendWindow
                                                                                                                                                                                                            • String ID: COMBOBOX$Inno Setup: Language
                                                                                                                                                                                                            • API String ID: 3391662889-4234151509
                                                                                                                                                                                                            • Opcode ID: deb51ddf8cca9870b91e1d9d0dcad9b4f5c78b57c6cc0b96f0beb683c572e979
                                                                                                                                                                                                            • Instruction ID: 81c94a85f2d0ae2d33cbd4ee74d6221623364a49e9b2571c8ba4411711431487
                                                                                                                                                                                                            • Opcode Fuzzy Hash: deb51ddf8cca9870b91e1d9d0dcad9b4f5c78b57c6cc0b96f0beb683c572e979
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 65813C34A00205DFD710EF69C989AAAB7F0FB49304F55C1BAE848D7362DB38AD45CB59
                                                                                                                                                                                                            Function 0047E980 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 195fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(000000FF,?,00000000,0047EAF4,?,?,?,?,00000000,0047EC49,?,?,?,00000000,?,0047ED58), ref: 0047EAD0
                                                                                                                                                                                                            • FindClose.KERNEL32(000000FF,0047EAFB,0047EAF4,?,?,?,?,00000000,0047EC49,?,?,?,00000000,?,0047ED58,00000000), ref: 0047EAEE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Find$CloseFileNext
                                                                                                                                                                                                            • String ID: TG$TG
                                                                                                                                                                                                            • API String ID: 2066263336-2531790037
                                                                                                                                                                                                            • Opcode ID: b0e8c0ab68be89f93ee12764341254d4567c72d9188f1650ca356d27e1af81f5
                                                                                                                                                                                                            • Instruction ID: 49c023a3d40347f396a503d53546bb693b8cfca30f5629bd36de7deb8458e88f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b0e8c0ab68be89f93ee12764341254d4567c72d9188f1650ca356d27e1af81f5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5812C7490024D9FDF11DF96C841ADFBBB9EF4D304F1081EAE508A7291D6399A46CF54
                                                                                                                                                                                                            Function 00408B70 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemDefaultLCID.KERNEL32(00000000,00408DB8,?,?,?,?,00000000,00000000,00000000,?,00409DBF,00000000,00409DD2), ref: 00408B8A
                                                                                                                                                                                                              • Part of subcall function 004089B8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049D4C4,00000001,?,00408A83,?,00000000,00408B62), ref: 004089D6
                                                                                                                                                                                                              • Part of subcall function 00408A04: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,00408C06,?,?,?,00000000,00408DB8), ref: 00408A17
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InfoLocale$DefaultSystem
                                                                                                                                                                                                            • String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
                                                                                                                                                                                                            • API String ID: 1044490935-665933166
                                                                                                                                                                                                            • Opcode ID: c69c3147cd56940e9f4fd8337a0fbc887525be67d32930313bc35b703755f031
                                                                                                                                                                                                            • Instruction ID: a8d7ab9d838d1b353a0e5ff474912d8a0235132b07344be0acb9e4c83fee81e1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c69c3147cd56940e9f4fd8337a0fbc887525be67d32930313bc35b703755f031
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D8513D34B001486BDB01FBA5DA41A9F77A9DB98308F50947FB181BB7C6CE3CDA068759
                                                                                                                                                                                                            Function 00411B44 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersion.KERNEL32(00000000,00411D49), ref: 00411BDC
                                                                                                                                                                                                            • InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 00411C9A
                                                                                                                                                                                                              • Part of subcall function 00411EFC: CreatePopupMenu.USER32(?,00411D05,00000000,00000000,00411D49), ref: 00411F16
                                                                                                                                                                                                            • InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 00411D26
                                                                                                                                                                                                              • Part of subcall function 00411EFC: CreateMenu.USER32 ref: 00411F20
                                                                                                                                                                                                            • InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 00411D0D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Menu$Insert$Create$ItemPopupVersion
                                                                                                                                                                                                            • String ID: ,$?
                                                                                                                                                                                                            • API String ID: 2359071979-2308483597
                                                                                                                                                                                                            • Opcode ID: c987c748b65508a950cf3f2169e5bd87e5634fb74b346734da7ef3b4f05fb7f7
                                                                                                                                                                                                            • Instruction ID: 125356fab78159fbe3d4b3b77ff780d7a0eb3536e5c02055c9c5492709250fea
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c987c748b65508a950cf3f2169e5bd87e5634fb74b346734da7ef3b4f05fb7f7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D512674A001049BDB10EF6AED815EE7BF9EF08304B1141BAFA04E73A2E738D941CB58
                                                                                                                                                                                                            Function 0041C2B3 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Object$BitmapBitsDelete$CreateIcon
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1030595962-0
                                                                                                                                                                                                            • Opcode ID: 8204310b78e8d6a6cf9899529667619705c527fa466c5b93b01e90bd2c764378
                                                                                                                                                                                                            • Instruction ID: 7028de2688ff158aa25c0b8276400e232655bb6670dd4605646626e5bfc1af4e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8204310b78e8d6a6cf9899529667619705c527fa466c5b93b01e90bd2c764378
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F651F671E002199FCB50DFE9C8819EEB7F9EB48314B218066F914E7295D638AD81CB68
                                                                                                                                                                                                            Function 0041D328 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetStretchBltMode.GDI32 ref: 0041D34E
                                                                                                                                                                                                            • GetDeviceCaps.GDI32 ref: 0041D36D
                                                                                                                                                                                                            • SelectPalette.GDI32(?,?,00000001), ref: 0041D3D3
                                                                                                                                                                                                            • RealizePalette.GDI32(?), ref: 0041D3E2
                                                                                                                                                                                                            • StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D44C
                                                                                                                                                                                                            • StretchDIBits.GDI32 ref: 0041D48A
                                                                                                                                                                                                            • SelectPalette.GDI32(?,?,00000001), ref: 0041D4AF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: PaletteStretch$Select$BitsCapsDeviceModeRealize
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2222416421-0
                                                                                                                                                                                                            • Opcode ID: 11edf0dba9517228aa32d7039567d0e1bdcd43b434536bf7bada936ddc7c4efc
                                                                                                                                                                                                            • Instruction ID: 60201597840efc574cdf5035eb35bbfd27a544e021146ecd029e3556dfc27432
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 11edf0dba9517228aa32d7039567d0e1bdcd43b434536bf7bada936ddc7c4efc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 305121B0A00604AFD714DFA9C985F9AB7F9EF08304F14859AB944D7392C778ED80CB58
                                                                                                                                                                                                            Function 00457AD8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 00457B2A
                                                                                                                                                                                                              • Part of subcall function 004246CC: GetWindowTextA.USER32(?,?,00000100), ref: 004246EC
                                                                                                                                                                                                              • Part of subcall function 0041F2F4: GetCurrentThreadId.KERNEL32 ref: 0041F343
                                                                                                                                                                                                              • Part of subcall function 0041F2F4: EnumThreadWindows.USER32 ref: 0041F349
                                                                                                                                                                                                              • Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C
                                                                                                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00457B91
                                                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 00457BAF
                                                                                                                                                                                                            • DispatchMessageA.USER32(?,?,00000000,00457BF0,?,00000000,?,?,?,00000000,00457C42), ref: 00457BB8
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Message$TextThreadWindow$CurrentDispatchEnumSendTranslateWindows
                                                                                                                                                                                                            • String ID: [Paused]
                                                                                                                                                                                                            • API String ID: 1007367021-4230553315
                                                                                                                                                                                                            • Opcode ID: 31cb7fdc48ed9e78bfc0c73adec3810bff2390ae3e523ac4d000c848820f6b6f
                                                                                                                                                                                                            • Instruction ID: d952aa0340fda6d06c899081e645d661bac1146de2c671e539639067201b9655
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31cb7fdc48ed9e78bfc0c73adec3810bff2390ae3e523ac4d000c848820f6b6f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB3196309082445EDB11DFB9E845FDE7BF8DB49318F5180B7E814E7292D67CA909CB29
                                                                                                                                                                                                            Function 0046C0E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCursor.USER32(00000000,0046C21F), ref: 0046C19C
                                                                                                                                                                                                            • LoadCursorA.USER32(00000000,00007F02), ref: 0046C1AA
                                                                                                                                                                                                            • SetCursor.USER32(00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1B0
                                                                                                                                                                                                            • Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1BA
                                                                                                                                                                                                            • SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046C21F), ref: 0046C1C0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Cursor$LoadSleep
                                                                                                                                                                                                            • String ID: CheckPassword
                                                                                                                                                                                                            • API String ID: 4023313301-1302249611
                                                                                                                                                                                                            • Opcode ID: ce3984bea0c5d85023e98f2da038b503bb9f29560b4eba7d50fa5ad56f960d46
                                                                                                                                                                                                            • Instruction ID: ee4704442a97aa51a819b3d11b93b6eea7a80086b594a8aac8f18d25b90f0006
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ce3984bea0c5d85023e98f2da038b503bb9f29560b4eba7d50fa5ad56f960d46
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 063175346402449FD711EF69C8C9F9E7BE4AF49304F5580BAB9449B3E2E7789E40CB49
                                                                                                                                                                                                            Function 00478EB4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00478DDC: GetWindowThreadProcessId.USER32(00000000), ref: 00478DE4
                                                                                                                                                                                                              • Part of subcall function 00478DDC: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00478EDB,0049E0AC,00000000), ref: 00478DF7
                                                                                                                                                                                                              • Part of subcall function 00478DDC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00478DFD
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 00478EE9
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00478F2E
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00478F38
                                                                                                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 00478F8D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • CallSpawnServer: Unexpected status: %d, xrefs: 00478F76
                                                                                                                                                                                                            • CallSpawnServer: Unexpected response: $%x, xrefs: 00478F1E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
                                                                                                                                                                                                            • String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
                                                                                                                                                                                                            • API String ID: 613034392-3771334282
                                                                                                                                                                                                            • Opcode ID: c46d90ec627eec355b04474858c9833e0dc615cc8fb62d212e36d073c5026e7c
                                                                                                                                                                                                            • Instruction ID: 2b74b3330966d0da2430542d23b63ad4dc4eec681a1128910255243e8f8c0985
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c46d90ec627eec355b04474858c9833e0dc615cc8fb62d212e36d073c5026e7c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0319374F502149ADB10EBB9884A7EE76A19F48304F50843EF148EB382DA7C4D0187A9
                                                                                                                                                                                                            Function 00459F80 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 0045A03B
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • CreateAssemblyCache, xrefs: 0045A032
                                                                                                                                                                                                            • Fusion.dll, xrefs: 00459FDB
                                                                                                                                                                                                            • Failed to load .NET Framework DLL "%s", xrefs: 0045A020
                                                                                                                                                                                                            • .NET Framework CreateAssemblyCache function failed, xrefs: 0045A05E
                                                                                                                                                                                                            • Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 0045A046
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                                                                            • String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
                                                                                                                                                                                                            • API String ID: 190572456-3990135632
                                                                                                                                                                                                            • Opcode ID: d95d5d40fddf0b6030493c953464f742ef4760e894d11a5ea04ccacfdf112554
                                                                                                                                                                                                            • Instruction ID: ac224aa19d502af52a8aeeb8631c7515eb40ef1487658bef2565bb8923ebe5d4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d95d5d40fddf0b6030493c953464f742ef4760e894d11a5ea04ccacfdf112554
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7931A971E006059FDB10EFA5C88169EB7B4AF44715F50867BE814E7382D7389E18C79A
                                                                                                                                                                                                            Function 0041C598 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0041C498: GetObjectA.GDI32 ref: 0041C4A5
                                                                                                                                                                                                            • GetFocus.USER32 ref: 0041C5B8
                                                                                                                                                                                                            • GetDC.USER32 ref: 0041C5C4
                                                                                                                                                                                                            • SelectPalette.GDI32(?,?,00000000), ref: 0041C5E5
                                                                                                                                                                                                            • RealizePalette.GDI32(?), ref: 0041C5F1
                                                                                                                                                                                                            • GetDIBits.GDI32 ref: 0041C608
                                                                                                                                                                                                            • SelectPalette.GDI32(?,00000000,00000000), ref: 0041C630
                                                                                                                                                                                                            • ReleaseDC.USER32(?,?), ref: 0041C63D
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Palette$Select$BitsFocusObjectRealizeRelease
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3303097818-0
                                                                                                                                                                                                            • Opcode ID: 13ad04b8ebeec00c1d7dbe87a4843d5f0ce23703817d7fa7e30356844582fb0f
                                                                                                                                                                                                            • Instruction ID: 5608d60df95c2c9a4937b8f20fdaccdf81dd4bf5f719291f5ec9f8ce647d196e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 13ad04b8ebeec00c1d7dbe87a4843d5f0ce23703817d7fa7e30356844582fb0f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00116DB1A00619BBDF10DBA9CC85FAFB7FCEF48700F14446AB614E7281D67899008B28
                                                                                                                                                                                                            Function 004190A4 Relevance: 10.6, APIs: 7, Instructions: 67COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemMetrics.USER32(0000000E), ref: 004190C0
                                                                                                                                                                                                            • GetSystemMetrics.USER32(0000000D), ref: 004190C8
                                                                                                                                                                                                            • 6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 004190CE
                                                                                                                                                                                                              • Part of subcall function 00410C48: 6F52C400.COMCTL32(?,000000FF,00000000,004190FC,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 00410C4C
                                                                                                                                                                                                            • 6F59CB00.COMCTL32(?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,?), ref: 0041911E
                                                                                                                                                                                                            • 6F59C740.COMCTL32(00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00419129
                                                                                                                                                                                                            • 6F59CB00.COMCTL32(?,00000001,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000), ref: 0041913C
                                                                                                                                                                                                            • 6F530860.COMCTL32(?,0041915F,?,00000000,?,?,00000000,00000000,00000000,00000000,00419158,?,00000000,0000000D,00000000,0000000E), ref: 00419152
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: MetricsSystem$C400C740F530860F532980
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 209721339-0
                                                                                                                                                                                                            • Opcode ID: 3537cdd0f738fbfcd60e26d14cefecc9ad32e9dd8feb771d9bbef366dd2eac9a
                                                                                                                                                                                                            • Instruction ID: 9903b46d79d4c0b31f098cc3390b5efedd2ad94e5cf824da9eef417fc70482b9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3537cdd0f738fbfcd60e26d14cefecc9ad32e9dd8feb771d9bbef366dd2eac9a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0611B971B44204BBEB14EFA5CC87F9E73B9EB09704F504166B604EB2C1E5B99D848B58
                                                                                                                                                                                                            Function 00485058 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00485110), ref: 004850F5
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseOpen
                                                                                                                                                                                                            • String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
                                                                                                                                                                                                            • API String ID: 47109696-2530820420
                                                                                                                                                                                                            • Opcode ID: f94684ca5ff4a6ca7381cd733c0a85fe62770c625d2b9a68cb2525c3b7024c1e
                                                                                                                                                                                                            • Instruction ID: 02a49102d00d8724c0d73e8972acf5231ddb46999e19ea23a0f5791770e41de6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f94684ca5ff4a6ca7381cd733c0a85fe62770c625d2b9a68cb2525c3b7024c1e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE11B230A04644ABDB00F766DC56B5F7BA8DB42744F508877A800DB782D73D9E41975D
                                                                                                                                                                                                            Function 0044CD48 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 57libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0044CD18: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0044CD30
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000,00000000,0044CE0A,?,?,?,?,00000000,00000000), ref: 0044CD92
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044CDA3
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044CDB3
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$DirectoryLibraryLoadSystem
                                                                                                                                                                                                            • String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
                                                                                                                                                                                                            • API String ID: 2141747552-1050967733
                                                                                                                                                                                                            • Opcode ID: ea022944773ab25f9a4076fd398f24179dfceb8cd9828e0392caa77096e119c9
                                                                                                                                                                                                            • Instruction ID: 55534d0cd89e21a5042de7d2cb1dd0110792ae2e246426a933e63f936c6ed6e6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ea022944773ab25f9a4076fd398f24179dfceb8cd9828e0392caa77096e119c9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 361151B0A01704AFF710EFA1DCC2B5A7BA8E758719F64047BE400666A1DBBD9D448A1C
                                                                                                                                                                                                            Function 00496DF0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetDC.USER32 ref: 00496E01
                                                                                                                                                                                                              • Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7
                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00496E23
                                                                                                                                                                                                            • GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,004973A1), ref: 00496E37
                                                                                                                                                                                                            • GetTextMetricsA.GDI32 ref: 00496E59
                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00496E76
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00496E2E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Text$CreateExtentFontIndirectMetricsObjectPointReleaseSelect
                                                                                                                                                                                                            • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                                                                                                                                                                            • API String ID: 2948443157-222967699
                                                                                                                                                                                                            • Opcode ID: aae36943e4c039aea34424998f68ade3a8833365680bc7432fe66356b3d4646c
                                                                                                                                                                                                            • Instruction ID: 569e85929f3d385eaff6f9e1b1d1d5c6dd8a65a34f46b30b3a8bef4bdf425d44
                                                                                                                                                                                                            • Opcode Fuzzy Hash: aae36943e4c039aea34424998f68ade3a8833365680bc7432fe66356b3d4646c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36018476A04608AFDB05DBE9CC41F5FB7ECDB49704F11047ABA04E7281D678AE008B68
                                                                                                                                                                                                            Function 0041B8B2 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SelectObject.GDI32(00000000,?), ref: 0041B8C0
                                                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B8CF
                                                                                                                                                                                                            • StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B8FB
                                                                                                                                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041B909
                                                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B917
                                                                                                                                                                                                            • DeleteDC.GDI32(00000000), ref: 0041B920
                                                                                                                                                                                                            • DeleteDC.GDI32(?), ref: 0041B929
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ObjectSelect$Delete$Stretch
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1458357782-0
                                                                                                                                                                                                            • Opcode ID: c5d1e2e3ff328356a4e4238c7f450765dbf7839f38aeea7c0d55facf19ccd353
                                                                                                                                                                                                            • Instruction ID: b8528283d587f8f5f7158778d976388ea9280e6d202ec49eeb693ac58173ed71
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5d1e2e3ff328356a4e4238c7f450765dbf7839f38aeea7c0d55facf19ccd353
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A118EB2F04619ABDB10D6DDC885FEFB7BCEB08314F044415B614FB241C678AD418B54
                                                                                                                                                                                                            Function 004237E4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCursorPos.USER32 ref: 004237FF
                                                                                                                                                                                                            • WindowFromPoint.USER32(?,?), ref: 0042380C
                                                                                                                                                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0042381A
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00423821
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 0042383A
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 00423851
                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 00423863
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1770779139-0
                                                                                                                                                                                                            • Opcode ID: fba33d789b5f9dac747d9de6da7c9d6faa9ef010ba63e634e26d5bfbf65e3e3b
                                                                                                                                                                                                            • Instruction ID: d55a13ab3e3fc67d9c1f0c697d1027359b93869cc9afd0973a071b09e334c979
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fba33d789b5f9dac747d9de6da7c9d6faa9ef010ba63e634e26d5bfbf65e3e3b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9901D42230521036D6207B7A5C86E2F22E8CBC5B65F51443FB609BF282D93D8C01976D
                                                                                                                                                                                                            Function 00496C14 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll), ref: 00496C24
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00496C31
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00496C3E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                                                                                                            • String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
                                                                                                                                                                                                            • API String ID: 667068680-2254406584
                                                                                                                                                                                                            • Opcode ID: 1a62ebb246959f38fae6f97a16ae9b6e3f147e8fdc483f677f644595477796c0
                                                                                                                                                                                                            • Instruction ID: 0100053a3692f287516410ec157e21cb1b88c24c6f2ed11ec452f60a58bd69cd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a62ebb246959f38fae6f97a16ae9b6e3f147e8fdc483f677f644595477796c0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5AF0F692701B1526DA1025764C81B7B698CCBC27A0F060037BD85A7382E9AD9C0552AD
                                                                                                                                                                                                            Function 0045D984 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 34libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,ISCryptGetVersion), ref: 0045D98D
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,ArcFourInit), ref: 0045D99D
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,ArcFourCrypt), ref: 0045D9AD
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                                                                            • String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
                                                                                                                                                                                                            • API String ID: 190572456-508647305
                                                                                                                                                                                                            • Opcode ID: a120c3d2ef62b36cbcf1f94c94fb794ce275c00622819f97a022044a312cbe17
                                                                                                                                                                                                            • Instruction ID: 0705cba7109997b41c54f5ec5154c4026f190107a5f336fc7dc4235633f43cad
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a120c3d2ef62b36cbcf1f94c94fb794ce275c00622819f97a022044a312cbe17
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E9F030F1901620EBF314EF77AC457273695EBA4302F14843BA445E11B2D7BA085AEA2C
                                                                                                                                                                                                            Function 0045DE84 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressInit), ref: 0045DE8D
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompress), ref: 0045DE9D
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,BZ2_bzDecompressEnd), ref: 0045DEAD
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                                                                            • String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
                                                                                                                                                                                                            • API String ID: 190572456-212574377
                                                                                                                                                                                                            • Opcode ID: 69782b4271ac4a522c1cbf050024bd159fbeab52ed8ba1f2270972ee26ec74bc
                                                                                                                                                                                                            • Instruction ID: ffc1661d06bbefe96a91e36acebf6432405697aaa326f86a6f465272ccde7cfc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 69782b4271ac4a522c1cbf050024bd159fbeab52ed8ba1f2270972ee26ec74bc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84F01DB1D00A18DED724DF37AC4A72736D5EF74316F08843BA9465A2A2D7B80858DF1D
                                                                                                                                                                                                            Function 0042EE6C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000,00482671), ref: 0042EE85
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE8B
                                                                                                                                                                                                            • InterlockedExchange.KERNEL32(0049D66C,00000001), ref: 0042EE9C
                                                                                                                                                                                                              • Part of subcall function 0042EDFC: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EEC0,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EE12
                                                                                                                                                                                                              • Part of subcall function 0042EDFC: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE18
                                                                                                                                                                                                              • Part of subcall function 0042EDFC: InterlockedExchange.KERNEL32(0049D664,00000001), ref: 0042EE29
                                                                                                                                                                                                            • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EEB0
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
                                                                                                                                                                                                            • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                                                                                                                                                                            • API String ID: 142928637-2676053874
                                                                                                                                                                                                            • Opcode ID: 147ab314087a4e3dcf6e16000bf7a92f8a6b53821ee1abd9afb0821482d3c5ed
                                                                                                                                                                                                            • Instruction ID: d923442659e3b0e51499426f76f6993fec2ee5a704375d7ef0c30b5e995126c2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 147ab314087a4e3dcf6e16000bf7a92f8a6b53821ee1abd9afb0821482d3c5ed
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1AE06DF1B40724AAEF107B766C86B9B2668EB50769F55003BF104A61E1C7FD0C408A6C
                                                                                                                                                                                                            Function 00479E68 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,0049A50C), ref: 00479E6E
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 00479E7B
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 00479E8B
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$HandleModule
                                                                                                                                                                                                            • String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
                                                                                                                                                                                                            • API String ID: 667068680-222143506
                                                                                                                                                                                                            • Opcode ID: 4eb8c5683a80416fa23ca28207be772c3a68f7a3a60c78b74a0383d4a233a3f9
                                                                                                                                                                                                            • Instruction ID: 2eb801612c02c2f681ec2550ef92dd2b82403b3208254216f30f7223daafca7c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4eb8c5683a80416fa23ca28207be772c3a68f7a3a60c78b74a0383d4a233a3f9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BFC0C9E1680710A9D600F7725C82DBB2548D510B25310883FB499651D2E7BD0C144A2C
                                                                                                                                                                                                            Function 0041BABC Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetFocus.USER32 ref: 0041BB95
                                                                                                                                                                                                            • GetDC.USER32 ref: 0041BBA1
                                                                                                                                                                                                            • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BBD6
                                                                                                                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041BBE2
                                                                                                                                                                                                            • CreateDIBitmap.GDI32 ref: 0041BC10
                                                                                                                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BC44
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3275473261-0
                                                                                                                                                                                                            • Opcode ID: 2f364fcd98ee6a1d62b7c654a57492f5fb96a9e1e42606f87797115b42be741f
                                                                                                                                                                                                            • Instruction ID: d5c29bb792210f064481fc70285f12689ccfb8d13ad776c980584781b3891df8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2f364fcd98ee6a1d62b7c654a57492f5fb96a9e1e42606f87797115b42be741f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E4511E74A002099FCF11DFA9C895AEEBBB5FF49704F10406AF500A7790D779AD81CBA9
                                                                                                                                                                                                            Function 0041BD8C Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetFocus.USER32 ref: 0041BE67
                                                                                                                                                                                                            • GetDC.USER32 ref: 0041BE73
                                                                                                                                                                                                            • SelectPalette.GDI32(00000000,?,00000000), ref: 0041BEAD
                                                                                                                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041BEB9
                                                                                                                                                                                                            • CreateDIBitmap.GDI32 ref: 0041BEDD
                                                                                                                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 0041BF11
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Palette$Select$BitmapCreateFocusRealize
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3275473261-0
                                                                                                                                                                                                            • Opcode ID: 6a42abb991037a6bf202db87d3771568c300b6986fb43c24206afdf92edcb334
                                                                                                                                                                                                            • Instruction ID: 6bf5c6e251c24ad455d3524f1730cbba616f151bd8f8db37d5e0169c444cf9bf
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a42abb991037a6bf202db87d3771568c300b6986fb43c24206afdf92edcb334
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD511875A002089FCB11DFA9C891AAEBBF5FF49700F11846AF504EB390D7789D40CBA8
                                                                                                                                                                                                            Function 0041B958 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetFocus.USER32(00000000,0041BAA8,?,?,?,?), ref: 0041B9CE
                                                                                                                                                                                                            • GetDC.USER32 ref: 0041B9DA
                                                                                                                                                                                                            • GetDeviceCaps.GDI32 ref: 0041B9F6
                                                                                                                                                                                                            • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA13
                                                                                                                                                                                                            • GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0041BA2A
                                                                                                                                                                                                            • ReleaseDC.USER32(?,?), ref: 0041BA76
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EntriesPaletteSystem$CapsDeviceFocusRelease
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2502006586-0
                                                                                                                                                                                                            • Opcode ID: aaad342ca44b07dec6af6486a8a42c1cb8d3efc41e270446eeb3d15c1de1c0ff
                                                                                                                                                                                                            • Instruction ID: 59801f7e5fcc4ac8ef53bb63f5e7b2fd9dc64a74171921ba3453a8653c00992f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: aaad342ca44b07dec6af6486a8a42c1cb8d3efc41e270446eeb3d15c1de1c0ff
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A941C371A042189FCB10DFB9C885A9FBBB4EF49740F1484AAF940EB351D2389D11CBA5
                                                                                                                                                                                                            Function 0045D848 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetLastError.KERNEL32(00000057,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8B3
                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,00000002,?,?,?,0045D980,?,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8F2
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                            • String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
                                                                                                                                                                                                            • API String ID: 1452528299-1580325520
                                                                                                                                                                                                            • Opcode ID: bceaa7c9d38e855be30fb0ce12922fb4a40a0d74626b7c5ce76b3f9998da2675
                                                                                                                                                                                                            • Instruction ID: 7ee2480e64cf5dcc37247868779a06df4fe5ff89f2b42202383772de8024ccfa
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bceaa7c9d38e855be30fb0ce12922fb4a40a0d74626b7c5ce76b3f9998da2675
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4811BB75A04204AFE731EBE1C941B9E76ADDF44306F604077AD0496383D67C5F0A952D
                                                                                                                                                                                                            Function 0041C1DC Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CapsDeviceMetricsSystem$Release
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 447804332-0
                                                                                                                                                                                                            • Opcode ID: 3e92d3a5d6c5ecb792e0ebd5600fae34c9b68402c42568e6e1a494463c386ac3
                                                                                                                                                                                                            • Instruction ID: bd62dbbe377736d475eb9c8390e540ebf9edbe2df99a0055a8dbd9c6863756d8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3e92d3a5d6c5ecb792e0ebd5600fae34c9b68402c42568e6e1a494463c386ac3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CA214A74E44608AFEB00EFE9C942BEEB7B4EB48700F10806AF514B7381D6785940CB69
                                                                                                                                                                                                            Function 00474770 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 71COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0045D848: SetLastError.KERNEL32(00000057,00000000,0045D914,?,?,?,?,00000000), ref: 0045D8B3
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00474844,?,?,0049E1E4,00000000), ref: 004747FD
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00474844,?,?,0049E1E4,00000000), ref: 00474813
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Could not set permissions on the registry key because it currently does not exist., xrefs: 00474807
                                                                                                                                                                                                            • Failed to set permissions on registry key (%d)., xrefs: 00474824
                                                                                                                                                                                                            • I, xrefs: 00474785
                                                                                                                                                                                                            • Setting permissions on registry key: %s\%s, xrefs: 004747C2
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                            • String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s$I
                                                                                                                                                                                                            • API String ID: 1452528299-1959139981
                                                                                                                                                                                                            • Opcode ID: fa1a9a8d389e764d463da442ef7f1c9e05787aef6c03ccc219f4a1874d89d582
                                                                                                                                                                                                            • Instruction ID: 89f83d431bb9d789a293ecef52b9ab2aae7d8ed3921fa29d9781309811a141fd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fa1a9a8d389e764d463da442ef7f1c9e05787aef6c03ccc219f4a1874d89d582
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15217774A042485FDB00EBA9C8416FEBBE8DB89314F51817BE414E7392DB785D058BAA
                                                                                                                                                                                                            Function 0047FA5C Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047FA6A
                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046DA09), ref: 0047FA90
                                                                                                                                                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0047FAA0
                                                                                                                                                                                                            • SetWindowLongA.USER32(?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046DA09), ref: 0047FAC1
                                                                                                                                                                                                            • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047FAD5
                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047FAF1
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$Long$Show
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3609083571-0
                                                                                                                                                                                                            • Opcode ID: abe530f147a2c3f98821beb69050e02df951cc1f08551c366297f014f152c27b
                                                                                                                                                                                                            • Instruction ID: ffd9c37a1d4b3a018da72acb707aca8a1d598a80d0625303fdebb2ead6bb840a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: abe530f147a2c3f98821beb69050e02df951cc1f08551c366297f014f152c27b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D301E9B6A54210ABD600DB78CD41F6637E8AB0C310F0A4776FA5DDF3E3C679D8048A08
                                                                                                                                                                                                            Function 0041B6C0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0041AB30: CreateBrushIndirect.GDI32 ref: 0041AB9B
                                                                                                                                                                                                            • UnrealizeObject.GDI32(00000000), ref: 0041B6CC
                                                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0041B6DE
                                                                                                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B701
                                                                                                                                                                                                            • SetBkMode.GDI32 ref: 0041B70C
                                                                                                                                                                                                            • SetBkColor.GDI32(?,00000000), ref: 0041B727
                                                                                                                                                                                                            • SetBkMode.GDI32 ref: 0041B732
                                                                                                                                                                                                              • Part of subcall function 0041A4A8: GetSysColor.USER32(?), ref: 0041A4B2
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3527656728-0
                                                                                                                                                                                                            • Opcode ID: 591f5e0a38fc1ca3dbe863e806ec08e439b2c286ec032ca355b2d19c4403f824
                                                                                                                                                                                                            • Instruction ID: 4060aa1d5abe481981ad85160ceff6bfe730d60da31349b060da60163fdb8f1a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 591f5e0a38fc1ca3dbe863e806ec08e439b2c286ec032ca355b2d19c4403f824
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AAF0CD75601100ABDE04FFBADACAE4B77989F043097048057B908DF197CA7CE8A08B3A
                                                                                                                                                                                                            Function 00499644 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C
                                                                                                                                                                                                            • ShowWindow.USER32(?,00000005,00000000,004998A9,?,?,00000000), ref: 0049967A
                                                                                                                                                                                                              • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                                              • Part of subcall function 004076F8: SetCurrentDirectoryA.KERNEL32(00000000,?,004996A2,00000000,00499875,?,?,00000005,00000000,004998A9,?,?,00000000), ref: 00407703
                                                                                                                                                                                                              • Part of subcall function 0042D89C: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D92A,?,?,?,00000001,?,0045681A,00000000,00456882), ref: 0042D8D1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                                                                                                                                                                            • String ID: .dat$.msg$IMsg$Uninstall
                                                                                                                                                                                                            • API String ID: 3312786188-1660910688
                                                                                                                                                                                                            • Opcode ID: b59174c22afc0cb4d84e45ba041c7c5ab1d45157887829cd53cd9da25efcf179
                                                                                                                                                                                                            • Instruction ID: 4da38b6a349b60b5a60df07f01633cb26419001f7db46277bbb3aa66fc0d4d29
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b59174c22afc0cb4d84e45ba041c7c5ab1d45157887829cd53cd9da25efcf179
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1313074A10114AFCB01FFAACC5295E7B75FB49318B51887AF800A7352EB39AD04CB59
                                                                                                                                                                                                            Function 0042EEF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042EF2A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EF30
                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042EF59
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressByteCharHandleModuleMultiProcWide
                                                                                                                                                                                                            • String ID: ShutdownBlockReasonCreate$user32.dll
                                                                                                                                                                                                            • API String ID: 828529508-2866557904
                                                                                                                                                                                                            • Opcode ID: 0a1a7f0b35af10bec52672da06a2906d532a44599cf47327945e1bb0849fc05d
                                                                                                                                                                                                            • Instruction ID: 50bd107db23699165094570332042a9a2090c4fb9dd7a9a9ac1c8e9692f1be1d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a1a7f0b35af10bec52672da06a2906d532a44599cf47327945e1bb0849fc05d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D7F0F0E134062237E620B27FAC86F7F55CC8F94729F150036B608EA2C2EA7C9905426F
                                                                                                                                                                                                            Function 004587F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MsgWaitForMultipleObjects.USER32(00000001,00000001,00000000,000000FF,000000FF,00000000,00458871), ref: 00458824
                                                                                                                                                                                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 00458845
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,00458878,000000FF,000000FF,00000000,00458871), ref: 0045886B
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                                                                                                                                                                            • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                                                                                                                                                                            • API String ID: 2573145106-3235461205
                                                                                                                                                                                                            • Opcode ID: b59af786c083e6c34fb912d8588e02e36760330094b26c60bb33ca54220cd61b
                                                                                                                                                                                                            • Instruction ID: 4c05e8df3edacc9d455a33c3a45c96e3e51f685ffe720196e50d624f784124f1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b59af786c083e6c34fb912d8588e02e36760330094b26c60bb33ca54220cd61b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E01A274A00204AFDB10FBA98C52A1E73A8EB45715FA0057AFD10F73D2DE39AD048A28
                                                                                                                                                                                                            Function 0042EDFC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042EEC0,00000004,0049B934,004579ED,00457D90,00457944,00000000,00000B06,00000000,00000000,00000000,00000002,00000000), ref: 0042EE12
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EE18
                                                                                                                                                                                                            • InterlockedExchange.KERNEL32(0049D664,00000001), ref: 0042EE29
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressExchangeHandleInterlockedModuleProc
                                                                                                                                                                                                            • String ID: ChangeWindowMessageFilter$user32.dll
                                                                                                                                                                                                            • API String ID: 3478007392-2498399450
                                                                                                                                                                                                            • Opcode ID: 2ae9261505c9f67baa706182e7b3239f9e45ce3b55a3ca64683e2b7ae62260b5
                                                                                                                                                                                                            • Instruction ID: 37ab6c1781d9ace597be808b0f82a5ae7151ca86b9dce60fc565c366ef428a29
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ae9261505c9f67baa706182e7b3239f9e45ce3b55a3ca64683e2b7ae62260b5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 76E0ECB1B41320AAEA1137726C8AF5726559B2471DF950437F108671E2C6FC1C84C91D
                                                                                                                                                                                                            Function 00478DDC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00478DE4
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,00478EDB,0049E0AC,00000000), ref: 00478DF7
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00478DFD
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressHandleModuleProcProcessThreadWindow
                                                                                                                                                                                                            • String ID: AllowSetForegroundWindow$user32.dll
                                                                                                                                                                                                            • API String ID: 1782028327-3855017861
                                                                                                                                                                                                            • Opcode ID: baaddf851ddbcde89e908f2650d0d7dd5a96bc2ff5b27e890b2c54087906d01e
                                                                                                                                                                                                            • Instruction ID: c95bb4f0dd120990503e7052118a19d741abdcedadff55ee9c16c600a1fe714f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: baaddf851ddbcde89e908f2650d0d7dd5a96bc2ff5b27e890b2c54087906d01e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EFD09EB168060165E910B3B69D4AE9B235C89847647248C3FB458E2586DF7CD894457D
                                                                                                                                                                                                            Function 0041707C Relevance: 7.6, APIs: 5, Instructions: 104COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • BeginPaint.USER32(00000000,?), ref: 004170A2
                                                                                                                                                                                                            • SaveDC.GDI32(?,00000000,00417195), ref: 004170D3
                                                                                                                                                                                                            • ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00417195), ref: 00417134
                                                                                                                                                                                                            • RestoreDC.GDI32 ref: 0041715B
                                                                                                                                                                                                            • EndPaint.USER32(00000000,?,0041719C,00000000,00417195), ref: 0041718F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Paint$BeginClipExcludeRectRestoreSave
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3808407030-0
                                                                                                                                                                                                            • Opcode ID: d3cb791d7785fb4fc35c1181fb0c895e71633609ec102f90fedaf0bd5e116ec9
                                                                                                                                                                                                            • Instruction ID: 2d0e89e5730252ba578d2efb55dda1d595b63161fefa896777b830b1b9f6ffa1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d3cb791d7785fb4fc35c1181fb0c895e71633609ec102f90fedaf0bd5e116ec9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B412170A08204AFDB04DFA5C985FAA77F9FF48314F1544AEE4059B362C7789D85CB18
                                                                                                                                                                                                            Function 00414C50 Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: eea1a8f7c9869be2cd73ede4559f3beb1d50bc075a71ac7122178a7397227914
                                                                                                                                                                                                            • Instruction ID: f067b59d413d1c4671d71e094a7f62e666ee1dcd53ee7561759f320ec3b01eff
                                                                                                                                                                                                            • Opcode Fuzzy Hash: eea1a8f7c9869be2cd73ede4559f3beb1d50bc075a71ac7122178a7397227914
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6F314F70605740AFC720EF69D984BABB7E8AF89314F04891EF9D5C7751D638EC808B59
                                                                                                                                                                                                            Function 0041C008 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: MetricsSystem$BitmapCreateDeleteObject
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1095203571-0
                                                                                                                                                                                                            • Opcode ID: e9779dfffb4f21f61e506df0ae377518d2b748fc237c0f7807fdb933fd26a7eb
                                                                                                                                                                                                            • Instruction ID: f919feb2cfdf9cb53746996a9db251afb7e4286801c3fccb61a5d2ca1bdc7bf1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e9779dfffb4f21f61e506df0ae377518d2b748fc237c0f7807fdb933fd26a7eb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A3313E74A40205EFDB04DFA5C981AAEB7F5EB48704F11856AF510AB381D7789E80DB98
                                                                                                                                                                                                            Function 00429C1C Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3850602802-0
                                                                                                                                                                                                            • Opcode ID: 6f2f314a4364933bab3318e288dd70a8d34a507adfc9435400f142d56b41fc4f
                                                                                                                                                                                                            • Instruction ID: 0478e77fbb77d274a7bfb783d11adee83c5a4069cdde94f0426c34ba09fc350e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f2f314a4364933bab3318e288dd70a8d34a507adfc9435400f142d56b41fc4f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 222190707107147AE710AFA7DC82F4B76EC9B40704F90443E7906AB2D2DAB8ED41861D
                                                                                                                                                                                                            Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                                            • SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
                                                                                                                                                                                                            • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ByteCharMultiWide$AllocString
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 262959230-0
                                                                                                                                                                                                            • Opcode ID: 67daf853af92f19bd36af3157ccd0aae30d6e3cf77030be0de76c974993ddc75
                                                                                                                                                                                                            • Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 67daf853af92f19bd36af3157ccd0aae30d6e3cf77030be0de76c974993ddc75
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D
                                                                                                                                                                                                            Function 00414830 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000000), ref: 00414869
                                                                                                                                                                                                            • RealizePalette.GDI32(00000000), ref: 00414871
                                                                                                                                                                                                            • SelectPalette.GDI32(00000000,00000000,00000001), ref: 00414885
                                                                                                                                                                                                            • RealizePalette.GDI32(00000000), ref: 0041488B
                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00414896
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Palette$RealizeSelect$Release
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2261976640-0
                                                                                                                                                                                                            • Opcode ID: fa3b9403a46652b92fdf4541f93f936de0ad42420f7af6617674ce52f43e61da
                                                                                                                                                                                                            • Instruction ID: aeb03e62d8ddadf83c94429ec28f403801e3a8d1cb621d3e7bfc21001d019430
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fa3b9403a46652b92fdf4541f93f936de0ad42420f7af6617674ce52f43e61da
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3201DF7520C3806AD600B63D8C85A9F6BEC9FCA314F15946EF484DB3C2CA7AC8018761
                                                                                                                                                                                                            Function 004073F4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 00407453
                                                                                                                                                                                                            • WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 004074CD
                                                                                                                                                                                                            • WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 00407525
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Enum$NameOpenResourceUniversal
                                                                                                                                                                                                            • String ID: Z
                                                                                                                                                                                                            • API String ID: 3604996873-1505515367
                                                                                                                                                                                                            • Opcode ID: ef725f5677505cc1ece444b72ce86a205eac34b3eeee73834d2775d04d947be5
                                                                                                                                                                                                            • Instruction ID: 2310e9831ee7c99a0a8649866770d0a98cc310fb2cf5807583ec8a4e9daa3455
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef725f5677505cc1ece444b72ce86a205eac34b3eeee73834d2775d04d947be5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 41519070E04208AFDB11DF99C845A9EBBB9EB49314F1448BAE400B72D1D778AE418B5A
                                                                                                                                                                                                            Function 0044D598 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetRectEmpty.USER32 ref: 0044D626
                                                                                                                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044D651
                                                                                                                                                                                                            • DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044D6D9
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DrawText$EmptyRect
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 182455014-2867612384
                                                                                                                                                                                                            • Opcode ID: 118ce66f65fc30a3616beabd50b84bb536d9a0cd1ba8fe4db387a67cc8cfb132
                                                                                                                                                                                                            • Instruction ID: 5f00bac91b28cdab45bfb944687f04cfacea2c0ae70fe3b1c590f7ffbabf3d5b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 118ce66f65fc30a3616beabd50b84bb536d9a0cd1ba8fe4db387a67cc8cfb132
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C517271E00248AFDB11DFA9C885BDEBBF8AF49304F15847AE805EB252D7389944CB64
                                                                                                                                                                                                            Function 0042F400 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetDC.USER32 ref: 0042F42A
                                                                                                                                                                                                              • Part of subcall function 0041A638: CreateFontIndirectA.GDI32(?), ref: 0041A6F7
                                                                                                                                                                                                            • SelectObject.GDI32(?,00000000), ref: 0042F44D
                                                                                                                                                                                                            • ReleaseDC.USER32(00000000,?), ref: 0042F52C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFontIndirectObjectReleaseSelect
                                                                                                                                                                                                            • String ID: ...\
                                                                                                                                                                                                            • API String ID: 3133960002-983595016
                                                                                                                                                                                                            • Opcode ID: d1b66580af5f8b118005d8afe4c27e7b3c53fe3fbe43e40283f5066ed8c29eea
                                                                                                                                                                                                            • Instruction ID: 21909acc4746510f695b318a8719c62c66087a48e53e42bcbae852ee139bb065
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1b66580af5f8b118005d8afe4c27e7b3c53fe3fbe43e40283f5066ed8c29eea
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E1314270B00229ABDB11EF9AD851BAEB7F9EB48308F90447BF410A7291C7785E45CA59
                                                                                                                                                                                                            Function 00454024 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454113
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,00498709,_iu,?,00000000,0045415E), ref: 00454123
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFileHandle
                                                                                                                                                                                                            • String ID: .tmp$_iu
                                                                                                                                                                                                            • API String ID: 3498533004-10593223
                                                                                                                                                                                                            • Opcode ID: 2a078343c1ee0e1e426b7682a7e14f96dd8f6dbcb1786daf15018a65187b9764
                                                                                                                                                                                                            • Instruction ID: 59545500d2eeb09234598e35ee9a1648d273934097dc79d2b475452d37d3be57
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a078343c1ee0e1e426b7682a7e14f96dd8f6dbcb1786daf15018a65187b9764
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8431C570E00209ABCF11EB95C942BEEBBB5AF54309F20452AF900BB3D2D7385F459759
                                                                                                                                                                                                            Function 00416860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetClassInfoA.USER32(00400000,?,?), ref: 004168CF
                                                                                                                                                                                                            • UnregisterClassA.USER32(?,00400000), ref: 004168FB
                                                                                                                                                                                                            • RegisterClassA.USER32(?), ref: 0041691E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Class$InfoRegisterUnregister
                                                                                                                                                                                                            • String ID: @
                                                                                                                                                                                                            • API String ID: 3749476976-2766056989
                                                                                                                                                                                                            • Opcode ID: 4396ba66f38c50fdb8df942a61c3a5bf44a39cad718591ab6b3f39f0828efa85
                                                                                                                                                                                                            • Instruction ID: c7ae62685634f2feb307fa6559a912500e41153472d9d2bb59c10c8b55fc2cbc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4396ba66f38c50fdb8df942a61c3a5bf44a39cad718591ab6b3f39f0828efa85
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C6318E706043008BDB10EF68C885B9B77E9AB89308F00457FF985DB392DB39DD458B5A
                                                                                                                                                                                                            Function 00499AF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(00000000,0049A448,00000000,00499BEE,?,?,00000000,0049D62C), ref: 00499B68
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,0049A448,00000000,00499BEE,?,?,00000000,0049D62C), ref: 00499B91
                                                                                                                                                                                                            • MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00499BAA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$Attributes$Move
                                                                                                                                                                                                            • String ID: isRS-%.3u.tmp
                                                                                                                                                                                                            • API String ID: 3839737484-3657609586
                                                                                                                                                                                                            • Opcode ID: 88eac6fa2fd00287dbaa55a3b9bd3a1b65409462b653a3bc96acdfff81af7d31
                                                                                                                                                                                                            • Instruction ID: 0b841a000e743cb9e8da0cfb8565bc532e10ded45a2cf007f5af54a585f9ef1c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 88eac6fa2fd00287dbaa55a3b9bd3a1b65409462b653a3bc96acdfff81af7d31
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54212171D14119ABCF00EBA9D881AAFBBB8BB58314F11457EA814B72D1D63C6E018A59
                                                                                                                                                                                                            Function 00457398 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042CC54: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042CC78
                                                                                                                                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                                            • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004573EC
                                                                                                                                                                                                            • RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00457419
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
                                                                                                                                                                                                            • String ID: LoadTypeLib$RegisterTypeLib
                                                                                                                                                                                                            • API String ID: 1312246647-2435364021
                                                                                                                                                                                                            • Opcode ID: 18df84fe9d86e2862f6386675fb05e4dd3e507c86707e069f339337bab75705e
                                                                                                                                                                                                            • Instruction ID: 195147ed2e8b8ae7ced7006412bb8845aee82bd7b9f018cfdf51d436bcb33606
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18df84fe9d86e2862f6386675fb05e4dd3e507c86707e069f339337bab75705e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C911D630B04204BFDB01DFA6DC51A4EBBADEB4A305F108076FD04D3652DA389E04C618
                                                                                                                                                                                                            Function 00457950 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Failed to create DebugClientWnd, xrefs: 004579D0
                                                                                                                                                                                                            • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00457996
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: MessageSend
                                                                                                                                                                                                            • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                                                                                                                                                                                            • API String ID: 3850602802-3720027226
                                                                                                                                                                                                            • Opcode ID: 925f9ffdcd425408a01fa4f98f39528b3d7bbeff17d45d483e1d3833f7d96f07
                                                                                                                                                                                                            • Instruction ID: b12cfe17c44d9b7297a0742d7ace06ebf4c30bfebd2037bde928bbf0dce3c7c1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 925f9ffdcd425408a01fa4f98f39528b3d7bbeff17d45d483e1d3833f7d96f07
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1311C4B16082509BE310AB299C81B5F77949B54319F04443BF9849F383D3B99C18C7AE
                                                                                                                                                                                                            Function 00479934 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00424714: SetWindowTextA.USER32(?,00000000), ref: 0042472C
                                                                                                                                                                                                            • GetFocus.USER32(?,00000000,004799D8,?,00000000,004799FF,?,?,00000001,00000000,?,?,0048174F,00000000,00482671), ref: 0047999F
                                                                                                                                                                                                            • GetKeyState.USER32 ref: 004799B1
                                                                                                                                                                                                            • WaitMessage.USER32(?,00000000,004799D8,?,00000000,004799FF,?,?,00000001,00000000,?,?,0048174F,00000000,00482671), ref: 004799BB
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FocusMessageStateTextWaitWindow
                                                                                                                                                                                                            • String ID: Wnd=$%x
                                                                                                                                                                                                            • API String ID: 1381870634-2927251529
                                                                                                                                                                                                            • Opcode ID: c7714a687ecd515da0b3d99d6b7bbb34f6b1e8ac2199ab9b74b109a4a99a3c73
                                                                                                                                                                                                            • Instruction ID: 0ce6ec70c77c992717eb959f135b56f98f7128e6f958ad4e09c8363bf76ba6b5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7714a687ecd515da0b3d99d6b7bbb34f6b1e8ac2199ab9b74b109a4a99a3c73
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0511A3B0604244AFDB00FF69D842ADEB7B8EB49704B51C5BBF508E7381D738AD00CA69
                                                                                                                                                                                                            Function 0046F428 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FileTimeToLocalFileTime.KERNEL32(?), ref: 0046F430
                                                                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?), ref: 0046F43F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Time$File$LocalSystem
                                                                                                                                                                                                            • String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
                                                                                                                                                                                                            • API String ID: 1748579591-1013271723
                                                                                                                                                                                                            • Opcode ID: b3309c05ae6708dc9511693656f5da53199351be95235e45feba58672e8eaade
                                                                                                                                                                                                            • Instruction ID: b1f3f51ab816b97a6d4fd488e4796d5760ecc8acc51059d8482d4647201c4143
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b3309c05ae6708dc9511693656f5da53199351be95235e45feba58672e8eaade
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F111F5A040C3919AD340DF2AC44072BBAE4AB99708F44896FF9C8D6381E779C948DB67
                                                                                                                                                                                                            Function 004546DE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004546EB
                                                                                                                                                                                                              • Part of subcall function 004073A0: DeleteFileA.KERNEL32(00000000,0049D62C,00499FD9,00000000,0049A02E,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 004073AB
                                                                                                                                                                                                            • MoveFileA.KERNEL32(00000000,00000000), ref: 00454710
                                                                                                                                                                                                              • Part of subcall function 00453C04: GetLastError.KERNEL32(00000000,00454799,00000005,00000000,004547CE,?,?,00000000,0049D62C,00000004,00000000,00000000,00000000,?,00499C8D,00000000), ref: 00453C07
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$AttributesDeleteErrorLastMove
                                                                                                                                                                                                            • String ID: DeleteFile$MoveFile
                                                                                                                                                                                                            • API String ID: 3024442154-139070271
                                                                                                                                                                                                            • Opcode ID: cd51b7d6411f51ddff926bfb4089fa62fb2906befb808aa5ea3769e8c14f62c4
                                                                                                                                                                                                            • Instruction ID: 274a2e09890dd6abd1f20e60e4879b25532b4b8e44e7f96c1dbb1ac345d4d7c6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd51b7d6411f51ddff926bfb4089fa62fb2906befb808aa5ea3769e8c14f62c4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 53F08B746141445BE701FBA5D94265FA7ECEB8431EF50403BB800BB6C3DB3C9D08492D
                                                                                                                                                                                                            Function 00484FB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00484FF1
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00485014
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • CSDVersion, xrefs: 00484FE8
                                                                                                                                                                                                            • System\CurrentControlSet\Control\Windows, xrefs: 00484FBE
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                                                                                            • String ID: CSDVersion$System\CurrentControlSet\Control\Windows
                                                                                                                                                                                                            • API String ID: 3677997916-1910633163
                                                                                                                                                                                                            • Opcode ID: 588979afecb5e58398fc217bb96039a03130116915b658699a0af779137a0fe4
                                                                                                                                                                                                            • Instruction ID: 3d9820a6fde95d05ac542d305ffe0a0e534a7c1f4e1b62a11fb8fb702f882c01
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 588979afecb5e58398fc217bb96039a03130116915b658699a0af779137a0fe4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7F04975A40608E6DF10FAD18C55BDF73BCAB05704F604967E510E7281E7399A049BAE
                                                                                                                                                                                                            Function 00465214 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0044BB28: LoadLibraryA.KERNEL32(00000000,00000000,0044BF0B,?,?,?,?,00000000,00000000,?,0044FD4D,0049A4DA), ref: 0044BB8A
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044BBA2
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044BBB4
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044BBC6
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044BBD8
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBEA
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044BBFC
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044BC0E
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044BC20
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044BC32
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044BC44
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044BC56
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044BC68
                                                                                                                                                                                                              • Part of subcall function 0044BB28: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044BC7A
                                                                                                                                                                                                              • Part of subcall function 004651E8: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004651FB
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(00000000,SHPathPrepareForWriteA,00000000,0046528A,?,?,?,?,00000000,00000000,?,0049A502), ref: 0046525F
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00465265
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystem
                                                                                                                                                                                                            • String ID: SHPathPrepareForWriteA$shell32.dll
                                                                                                                                                                                                            • API String ID: 1442766254-2683653824
                                                                                                                                                                                                            • Opcode ID: 19c949dbb77f1a78b4d411d9c1a27eb2db95fd8b53bd2c0869d9e8e17518ae75
                                                                                                                                                                                                            • Instruction ID: 415eb7409d81aa8454bb2dd4c72fa8b3e514a75415032da6adba06dceafb32ff
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 19c949dbb77f1a78b4d411d9c1a27eb2db95fd8b53bd2c0869d9e8e17518ae75
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5F04470640A08BFD700FB62DC53F5E7BACEB45718FA044B7B400B6591EA7C9E04892D
                                                                                                                                                                                                            Function 00459B60 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00459C9D,00000000,00459E55,?,00000000,00000000,00000000), ref: 00459BAD
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseOpen
                                                                                                                                                                                                            • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                                                                                                                                                                            • API String ID: 47109696-2631785700
                                                                                                                                                                                                            • Opcode ID: b627f2800f19387767bd04b51e727e1d4b1db306c8c191df54aff93f44ad508f
                                                                                                                                                                                                            • Instruction ID: 9ff5366a1843594bb80037a440052cb9e88b760eaf161db27522a6c9f4c26c6f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b627f2800f19387767bd04b51e727e1d4b1db306c8c191df54aff93f44ad508f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2AF0AF31300121EBEB10EB17AC41B5E6789DB91316F18443BFA81C7253F6BCDC46862E
                                                                                                                                                                                                            Function 0042DD40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004542C2,00000000,00454365,?,?,00000000,00000000,00000000,00000000,00000000,?,00454755,00000000), ref: 0042DD5A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042DD60
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                            • String ID: GetSystemWow64DirectoryA$kernel32.dll
                                                                                                                                                                                                            • API String ID: 1646373207-4063490227
                                                                                                                                                                                                            • Opcode ID: 5abbe40046ba00350f24005cef1803a495b962ffc597d09d0b22329c5a666800
                                                                                                                                                                                                            • Instruction ID: 2c7f72bc3db4c40d16b1b765d912767d34fa58fe4c646cc18e222b4ed7f6fe44
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5abbe40046ba00350f24005cef1803a495b962ffc597d09d0b22329c5a666800
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0FE02660B60F1113D70071BA5C8379B208D4B84718F90043F3984F52C6DDBDD9490A6E
                                                                                                                                                                                                            Function 0042EFA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042EF20), ref: 0042EFB2
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042EFB8
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                            • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                                                                                                                                                                            • API String ID: 1646373207-260599015
                                                                                                                                                                                                            • Opcode ID: baf4c7a8591a40d7dc6da6f15e5b4dc27338d30cfca151258ddc16df194b77c5
                                                                                                                                                                                                            • Instruction ID: 02ec898c6c75b1ba26151a3eebd585b8454ae7040b346800783755fde70e6890
                                                                                                                                                                                                            • Opcode Fuzzy Hash: baf4c7a8591a40d7dc6da6f15e5b4dc27338d30cfca151258ddc16df194b77c5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 01D0A993302B3332AA1071FB3DC19BB02CC8D202AA3670033F600E2280EA8CCC4012AC
                                                                                                                                                                                                            Function 0044FD1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,0049A4DA), ref: 0044FD57
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044FD5D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                            • String ID: NotifyWinEvent$user32.dll
                                                                                                                                                                                                            • API String ID: 1646373207-597752486
                                                                                                                                                                                                            • Opcode ID: 21449735c4530238711e5baf3f7e6c6119c4b5ed48e58139290ccade4ce38153
                                                                                                                                                                                                            • Instruction ID: af032255d430417ffea63134fe83afc5c4b4dbba1536058c56e775f9f11b8dd5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 21449735c4530238711e5baf3f7e6c6119c4b5ed48e58139290ccade4ce38153
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2E012E0E417449AFB00BBB96D467193AD0EF6471DF10007FB540A6291C77C44489B1D
                                                                                                                                                                                                            Function 0049A250 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0049A530,00000001,00000000,0049A554), ref: 0049A25A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0049A260
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                            • String ID: DisableProcessWindowsGhosting$user32.dll
                                                                                                                                                                                                            • API String ID: 1646373207-834958232
                                                                                                                                                                                                            • Opcode ID: 51550ffda035ac84042d4bddea94f20537adf7cd2f58fd56988f617bc6aacde1
                                                                                                                                                                                                            • Instruction ID: dac1c8ebddd32ae9bf6a035aad1c8d1f3cf840f271d0053423bdda14aa0d062e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51550ffda035ac84042d4bddea94f20537adf7cd2f58fd56988f617bc6aacde1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09B09281686A01509C4033F20C06A1B0E08484171871800B73400F12C6CE6E842404FF
                                                                                                                                                                                                            Function 00476744 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042F2BC: GetTickCount.KERNEL32 ref: 0042F2C2
                                                                                                                                                                                                              • Part of subcall function 0042F0D8: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042F10D
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,004768B9,?,?,0049E1E4,00000000), ref: 004767A2
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountErrorFileLastMoveTick
                                                                                                                                                                                                            • String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
                                                                                                                                                                                                            • API String ID: 2406187244-2685451598
                                                                                                                                                                                                            • Opcode ID: 60709b24bbd29ecba445f14f57d2c4ad189bd31ebd78b2e227524017e35208ed
                                                                                                                                                                                                            • Instruction ID: 03a236e7dc5f504d91790a0ce298dd5dba96fa6117a2cc3ee4ad00c9fc2b7c38
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 60709b24bbd29ecba445f14f57d2c4ad189bd31ebd78b2e227524017e35208ed
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 53418474A006098BCB00EFA5D882ADE77B9EF48314F52853BE414B7391D7389E05CBAD
                                                                                                                                                                                                            Function 00414148 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 00414196
                                                                                                                                                                                                            • GetDesktopWindow.USER32 ref: 0041424E
                                                                                                                                                                                                              • Part of subcall function 00419310: 6F59C6F0.COMCTL32(00000000,?,0041427E,?,?,?,?,00413F43,00000000,00413F56), ref: 0041932C
                                                                                                                                                                                                              • Part of subcall function 00419310: ShowCursor.USER32(00000001,00000000,?,0041427E,?,?,?,?,00413F43,00000000,00413F56), ref: 00419349
                                                                                                                                                                                                            • SetCursor.USER32(00000000,?,?,?,?,00413F43,00000000,00413F56), ref: 0041428C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CursorDesktopWindow$Show
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2074268717-0
                                                                                                                                                                                                            • Opcode ID: cfce6284985b2a2f885b46e24aab87199b3bad27be3208afe6f8a3dae0a7e5f2
                                                                                                                                                                                                            • Instruction ID: 6a264f145c0982e92da272f414c83554030b66ece25ea6070dcdf00fca6814f6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cfce6284985b2a2f885b46e24aab87199b3bad27be3208afe6f8a3dae0a7e5f2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30414170A10151AFC710EF6DDD89B5677E5ABA9318B05807BE409CB366C738DC81CB1D
                                                                                                                                                                                                            Function 00408EA4 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408EC5
                                                                                                                                                                                                            • LoadStringA.USER32 ref: 00408F34
                                                                                                                                                                                                            • LoadStringA.USER32 ref: 00408FCF
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040900E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: LoadString$FileMessageModuleName
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 704749118-0
                                                                                                                                                                                                            • Opcode ID: 6a14109298dd6aa5b23f5014bc90c14a5f309fa4690e2bc273b58c6e1dd153b9
                                                                                                                                                                                                            • Instruction ID: d606a76aa49eec759d07c5becdfef17a6c6b9766ea912d15a143196380f0994c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a14109298dd6aa5b23f5014bc90c14a5f309fa4690e2bc273b58c6e1dd153b9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C73162706083815AD330EB65C945BDBB7D99F8A304F00483FB6C8D72D2DB799904876B
                                                                                                                                                                                                            Function 0044EE9C Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 0044EEE5
                                                                                                                                                                                                              • Part of subcall function 0044D528: SendMessageA.USER32 ref: 0044D55A
                                                                                                                                                                                                            • InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044EF69
                                                                                                                                                                                                              • Part of subcall function 0042C004: SendMessageA.USER32 ref: 0042C018
                                                                                                                                                                                                            • IsRectEmpty.USER32 ref: 0044EF2B
                                                                                                                                                                                                            • ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044EF4E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 855768636-0
                                                                                                                                                                                                            • Opcode ID: 6e26a94a7199d382ea3abf285ca1d810cec0835dc4ac21152864a4c17455089d
                                                                                                                                                                                                            • Instruction ID: 5be5a2c99a49a2f339bd726f9f517b743d06364a043e5a66e7e3b57b404dc1d6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6e26a94a7199d382ea3abf285ca1d810cec0835dc4ac21152864a4c17455089d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B118C3170031027E610BA7E8C82B5F66C99B88748F01483FB60AEB387DDB8DC09835E
                                                                                                                                                                                                            Function 0049720C Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 00497270
                                                                                                                                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 0049728B
                                                                                                                                                                                                            • OffsetRect.USER32(?,?,00000000), ref: 004972A5
                                                                                                                                                                                                            • OffsetRect.USER32(?,00000000,?), ref: 004972C0
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: OffsetRect
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 177026234-0
                                                                                                                                                                                                            • Opcode ID: 1a73e688525ba1e930e3dbf3898af9d30e9465d405d6debb224a7eeb0afca85c
                                                                                                                                                                                                            • Instruction ID: e718e50738441f611e1ccbf74e0cde98489d487b8bfa6672397ae6e260ffa509
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a73e688525ba1e930e3dbf3898af9d30e9465d405d6debb224a7eeb0afca85c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE214FB67142016BCB00DF69CD85E5BB7EEEBD4340F14CA2AF544C728AD634E9448796
                                                                                                                                                                                                            Function 00417668 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCursorPos.USER32 ref: 004176B0
                                                                                                                                                                                                            • SetCursor.USER32(00000000), ref: 004176F3
                                                                                                                                                                                                            • GetLastActivePopup.USER32(?), ref: 0041771D
                                                                                                                                                                                                            • GetForegroundWindow.USER32(?), ref: 00417724
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Cursor$ActiveForegroundLastPopupWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1959210111-0
                                                                                                                                                                                                            • Opcode ID: 14110dda0b90429387dd3a163e0d8510df73624919390f4fd5eb2ebddd82d255
                                                                                                                                                                                                            • Instruction ID: dbcb3e4d6cdf237ebd373b45723c7518e1d79ef9827cdcdbbe1e0fb97faef126
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 14110dda0b90429387dd3a163e0d8510df73624919390f4fd5eb2ebddd82d255
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8121CF303086018BC710EF29D980ADB73B1AB44768F52447BE8688B392D73DEC81CA8D
                                                                                                                                                                                                            Function 00496EC4 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • MulDiv.KERNEL32(8B500000,00000008,?,?,?,00000000), ref: 00496ED9
                                                                                                                                                                                                            • MulDiv.KERNEL32(50142444,00000008,?,8B500000,00000008,?,?,?,00000000), ref: 00496EED
                                                                                                                                                                                                            • MulDiv.KERNEL32(F6E65FE8,00000008,?,50142444,00000008,?,8B500000,00000008,?,?,?,00000000), ref: 00496F01
                                                                                                                                                                                                            • MulDiv.KERNEL32(8BF88BFF,00000008,?,50142444,00000008,?,8B500000,00000008,?,?,?,00000000), ref: 00496F1F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 865696dda9c04e972e54b31ac7a717d8d8d580924cf1526e353e6871edb84c7d
                                                                                                                                                                                                            • Instruction ID: e3308cc84e827548128d2b2e4dd5895a6eb2c6c5d9673f95432de963ba277a10
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 865696dda9c04e972e54b31ac7a717d8d8d580924cf1526e353e6871edb84c7d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB113372604204AFCF40DFA9D8C4D9B7BECEF4D324B15516AF918DB24AD634ED408BA4
                                                                                                                                                                                                            Function 0041F8D0 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetClassInfoA.USER32(00400000,0041F8C0,?), ref: 0041F8F1
                                                                                                                                                                                                            • UnregisterClassA.USER32(0041F8C0,00400000), ref: 0041F91A
                                                                                                                                                                                                            • RegisterClassA.USER32(0049B598), ref: 0041F924
                                                                                                                                                                                                            • SetWindowLongA.USER32(00000000,000000FC,00000000,00000000,00000B06,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000000,0049B598,00400000,0041F8C0), ref: 0041F95F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Class$InfoLongRegisterUnregisterWindow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4025006896-0
                                                                                                                                                                                                            • Opcode ID: ae6de89eb0d2e6a3729d1e0b10ea6149efd73b68be0a0487beae6f0a454497aa
                                                                                                                                                                                                            • Instruction ID: 2f8fb42507e3cd1bc96778dfed7eead12d65e2047fb8f4462c71738803dd6c65
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae6de89eb0d2e6a3729d1e0b10ea6149efd73b68be0a0487beae6f0a454497aa
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7012DB16141047BCB10FBA8ED81E9A379CD719318B11423BB505E72A1D739D8168BAC
                                                                                                                                                                                                            Function 0040D460 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • FindResourceA.KERNEL32(00400000,?,00000000,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000,?,?,0047DE64,0000000A), ref: 0040D477
                                                                                                                                                                                                            • LoadResource.KERNEL32(00400000,72756F73,00400000,?,00000000,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000,?), ref: 0040D491
                                                                                                                                                                                                            • SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,00400000,?,00000000,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000,?,00000000), ref: 0040D4AB
                                                                                                                                                                                                            • LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,00400000,?,00000000,0040AC18,00400000,00000001,00000000,?,0040D3D4,00000000), ref: 0040D4B5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3473537107-0
                                                                                                                                                                                                            • Opcode ID: 073da2e1467bd4923794a1699de9deb8666d8abafae58723814b459cf24724ae
                                                                                                                                                                                                            • Instruction ID: 736189130eb46f944708fe8ab0dcf7c2da2e7d83e7efdb8d5663637d3260b2f8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 073da2e1467bd4923794a1699de9deb8666d8abafae58723814b459cf24724ae
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FCF04FB3A005046F8B04EE9DA881D5B76DCDE88364310013AFD08EB282DA38DD018B78
                                                                                                                                                                                                            Function 00456538 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045BFAA,?,?,?,?,?,00000000,0045BFD1), ref: 00456574
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045BFAA,?,?,?,?,?,00000000), ref: 0045657D
                                                                                                                                                                                                            • RemoveFontResourceA.GDI32(00000000,00000082,00000002,00000000,?,?,00000000,0045BFAA,?,?,?,?,?,00000000,0045BFD1), ref: 0045658A
                                                                                                                                                                                                            • SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045659E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4283692357-0
                                                                                                                                                                                                            • Opcode ID: 77f16452261de92411383761736d4e3182d091853594e88ea7a4d07c86a218dd
                                                                                                                                                                                                            • Instruction ID: 60fc6220e6421739c6cddc48edde2e304ed69df2a150d613f8e8855ad9854c81
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77f16452261de92411383761736d4e3182d091853594e88ea7a4d07c86a218dd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27F054B174531076EA10B6B6AC47F5B22CC8F54749F54483A7604EB2C3D57CDD04966D
                                                                                                                                                                                                            Function 00470C50 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000), ref: 00470CA1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 00470CB2
                                                                                                                                                                                                            • Setting NTFS compression on directory: %s, xrefs: 00470C6F
                                                                                                                                                                                                            • Unsetting NTFS compression on directory: %s, xrefs: 00470C87
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
                                                                                                                                                                                                            • API String ID: 1452528299-1392080489
                                                                                                                                                                                                            • Opcode ID: dfbe84044b29f3d57c509b65a983513d49cbe1f7a65d8e2e78e9d92552162f9b
                                                                                                                                                                                                            • Instruction ID: 2f8c6a7a6e35e8588bbb9e762321129d74c961a1f58895d436786832a4f1a68a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dfbe84044b29f3d57c509b65a983513d49cbe1f7a65d8e2e78e9d92552162f9b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04018B30D09248AACB15D7ED94812DDFBE89F0D305F54C1EFA459E7342DF790A08879A
                                                                                                                                                                                                            Function 004713FC Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00000000), ref: 0047144D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Failed to set NTFS compression state (%d)., xrefs: 0047145E
                                                                                                                                                                                                            • Setting NTFS compression on file: %s, xrefs: 0047141B
                                                                                                                                                                                                            • Unsetting NTFS compression on file: %s, xrefs: 00471433
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                                                                            • String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
                                                                                                                                                                                                            • API String ID: 1452528299-3038984924
                                                                                                                                                                                                            • Opcode ID: fe182551a98f743fcb6dc7018ea21a6c51c49eaeb083c5d16317d3ad1726425c
                                                                                                                                                                                                            • Instruction ID: a30ff693f52cd42e459b797e94763e7277481e0955e0c4e592f957c66b82d28b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe182551a98f743fcb6dc7018ea21a6c51c49eaeb083c5d16317d3ad1726425c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 41016730D0424866CB1497AD64422DDBBE89F4D315F94C1EFA458E7352DE790A0887AA
                                                                                                                                                                                                            Function 0047944C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000008,?,?,00000001,00000000,00000002,00000000,00482671,?,?,?,?,?,0049A5C3,00000000,0049A5EB), ref: 00479455
                                                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671,?,?,?,?,?,0049A5C3,00000000), ref: 0047945B
                                                                                                                                                                                                            • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0047947D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,00000001,00000000,00000002,00000000,00482671), ref: 0047948E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 215268677-0
                                                                                                                                                                                                            • Opcode ID: 6d49464bdbc91184ad7f6ac62fff289a707b850c7d11bd8742fde9f2fb834cc3
                                                                                                                                                                                                            • Instruction ID: 6505384fcc0360b3c734b71afb4e1a1a4ab6f9baee95e57f14d901b11eacad59
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6d49464bdbc91184ad7f6ac62fff289a707b850c7d11bd8742fde9f2fb834cc3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90F030716447006BD600EAB58D82E9B73DCEB44354F04883EBE98CB2C1D678DC08AB76
                                                                                                                                                                                                            Function 00424690 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window$ActiveEnabledForegroundLastPopupVisible
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2280970139-0
                                                                                                                                                                                                            • Opcode ID: 6de0995d0e447abcc63ecfbcb3df3be24c1d568dc5660fd48fcf8973f81aa8b9
                                                                                                                                                                                                            • Instruction ID: 92c4e0b2622c21c1aafdf32b5a5e60d634be871c9bac48645995030a32fad986
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6de0995d0e447abcc63ecfbcb3df3be24c1d568dc5660fd48fcf8973f81aa8b9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BBE01261B0293157AA31FA7AA885A9F118CDD47BC43460277BC41F7297DB2CDC1045FD
                                                                                                                                                                                                            Function 0040627C Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GlobalHandle.KERNEL32 ref: 0040627F
                                                                                                                                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00406286
                                                                                                                                                                                                            • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040628B
                                                                                                                                                                                                            • GlobalLock.KERNEL32 ref: 00406291
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Global$AllocHandleLockUnlock
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2167344118-0
                                                                                                                                                                                                            • Opcode ID: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                                                                                                                            • Instruction ID: 024a49765fc045a09389489d8ed5919b86daafa6bea6a005e9f609907830066e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cbc5b304f88c7a08b053d0b09bd11fc9f2d944e51c7d356257a26bde9ab667b0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64B009C6925A46B8EC0473B24C4BD3F041CE88472C3809A6E7554BA0839C7C9C002E3A
                                                                                                                                                                                                            Function 0047B524 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047CE0D,?,00000000,00000000,00000001,00000000,0047B7C1,?,00000000), ref: 0047B785
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 0047B5F9
                                                                                                                                                                                                            • Failed to parse "reg" constant, xrefs: 0047B78C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Close
                                                                                                                                                                                                            • String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
                                                                                                                                                                                                            • API String ID: 3535843008-1938159461
                                                                                                                                                                                                            • Opcode ID: 6611c1e9441ec69d347f76f9853cf70306d1c1791fe979a3a4115cedc0ac6e02
                                                                                                                                                                                                            • Instruction ID: f1421b174eee6fc7f54e6f8e7a43c19df08b7389384ab18ee26f4796af10067b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6611c1e9441ec69d347f76f9853cf70306d1c1791fe979a3a4115cedc0ac6e02
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89815175E00208AFCB10DFA5D481BDEBBF9EF48354F50816AE454A7391DB38AE05CB99
                                                                                                                                                                                                            Function 004775F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?,?,00000000,00000000,00477727,?,00000000,00477738,?,00000000,00477781), ref: 004776F8
                                                                                                                                                                                                            • SetFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,00000000,00000000,00477727,?,00000000,00477738,?,00000000,00477781), ref: 0047770C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Extracting temporary file: , xrefs: 00477634
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileTime$Local
                                                                                                                                                                                                            • String ID: Extracting temporary file:
                                                                                                                                                                                                            • API String ID: 791338737-4171118009
                                                                                                                                                                                                            • Opcode ID: 8d8d29b45fb9742880719863d89589a4356bfd1e7f13b2e05d84abbcd72ab195
                                                                                                                                                                                                            • Instruction ID: 13e9f88ccb8282ea38195536ff5c63a907cbb836f3d7a61bc1ee4cb3f854d839
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8d8d29b45fb9742880719863d89589a4356bfd1e7f13b2e05d84abbcd72ab195
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4041B774A04649AFCB01DF65CC91AEFBBB8EB09304F51847AF910A7391D678A901CB98
                                                                                                                                                                                                            Function 0046D8CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Failed to proceed to next wizard page; showing wizard., xrefs: 0046D9F8
                                                                                                                                                                                                            • Failed to proceed to next wizard page; aborting., xrefs: 0046D9E4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
                                                                                                                                                                                                            • API String ID: 0-1974262853
                                                                                                                                                                                                            • Opcode ID: add31560b0341e522612951ad2314b824f5c06f277653e44a4d324fe3becfdea
                                                                                                                                                                                                            • Instruction ID: 84e2974eb34e4f2dda2b8c8cb2eefec3d4715c8d151fead2dfc4afe0ae77ca03
                                                                                                                                                                                                            • Opcode Fuzzy Hash: add31560b0341e522612951ad2314b824f5c06f277653e44a4d324fe3becfdea
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D319E70F04204EFD711EB69D989BA977F5EB05304F6500BBE408AB3A2D7786E44CB1A
                                                                                                                                                                                                            Function 0047A0E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0042E26C: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00484FCF,?,00000001,?,?,00484FCF,?,00000001,00000000), ref: 0042E288
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,0047A1C6,?,?,00000001,00000000,00000000,0047A1E1), ref: 0047A1AF
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • %s\%s_is1, xrefs: 0047A158
                                                                                                                                                                                                            • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047A13A
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseOpen
                                                                                                                                                                                                            • String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                                                                                                                                                                            • API String ID: 47109696-1598650737
                                                                                                                                                                                                            • Opcode ID: 91dc773cb254a962c58777c4e5504297312389ea1f328f3f9ad862e77fdf1cb2
                                                                                                                                                                                                            • Instruction ID: 0d63d1a050f55a8da938840af3d9f6bfa62d29ba12cdbe4796c61ae60ad15f2e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 91dc773cb254a962c58777c4e5504297312389ea1f328f3f9ad862e77fdf1cb2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E216474B042449FEB01DFA9CC516EEBBF8EB89704F90847AE404E7381D7789E158B59
                                                                                                                                                                                                            Function 0045080C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SendMessageA.USER32 ref: 004508A1
                                                                                                                                                                                                            • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004508D2
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExecuteMessageSendShell
                                                                                                                                                                                                            • String ID: open
                                                                                                                                                                                                            • API String ID: 812272486-2758837156
                                                                                                                                                                                                            • Opcode ID: adc24c5d3b5368d32e78575de7f2422fd367a658f9279fd22d1d28f183eb37d2
                                                                                                                                                                                                            • Instruction ID: f57ce05e9eba324e121f638db0535f08eb0d68243c76b72727f5d658c61a4d86
                                                                                                                                                                                                            • Opcode Fuzzy Hash: adc24c5d3b5368d32e78575de7f2422fd367a658f9279fd22d1d28f183eb37d2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4C216075E00604BFDB00EFA9C981E9EB7F8EB44705F10817AB904F7292D7789A45CB88
                                                                                                                                                                                                            Function 004559F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • ShellExecuteEx.SHELL32 ref: 00455A94
                                                                                                                                                                                                            • GetLastError.KERNEL32(0000003C,00000000,00455ADD,?,?,?), ref: 00455AA5
                                                                                                                                                                                                              • Part of subcall function 0042DD14: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042DD27
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DirectoryErrorExecuteLastShellSystem
                                                                                                                                                                                                            • String ID: <
                                                                                                                                                                                                            • API String ID: 893404051-4251816714
                                                                                                                                                                                                            • Opcode ID: d516e6598b8be20c8747e6ec9c3ac67b1ec18d9ef1beef7a885f0700c60fe9ff
                                                                                                                                                                                                            • Instruction ID: 1dd1e4a4b05f96b02f6cdc30b2026c57645841094811f513de853399c4f5318c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d516e6598b8be20c8747e6ec9c3ac67b1ec18d9ef1beef7a885f0700c60fe9ff
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 482151B0A00649AFDB00DF65D8926AE7BE8EF08345F50413BF844E7281E7789E49CB58
                                                                                                                                                                                                            Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RtlEnterCriticalSection.KERNEL32(0049D420), ref: 004025C7
                                                                                                                                                                                                            • RtlLeaveCriticalSection.KERNEL32 ref: 00402630
                                                                                                                                                                                                              • Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32 ref: 004019E2
                                                                                                                                                                                                              • Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049D420), ref: 004019F5
                                                                                                                                                                                                              • Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049D420,00000000,00401A82,?,?,0040222E,02364000,?,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
                                                                                                                                                                                                              • Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32 ref: 00401A7C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$AllocInitializeLocal
                                                                                                                                                                                                            • String ID: )
                                                                                                                                                                                                            • API String ID: 2227675388-1084416617
                                                                                                                                                                                                            • Opcode ID: b1c34bbcfa7d0433af8c48dff581505e6c7889bd18d36f496ad8d1521465f649
                                                                                                                                                                                                            • Instruction ID: 570f99ef1d3d95e4b4d80a2adc1962b98f522b57bc72750d6ce688ebb538822c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b1c34bbcfa7d0433af8c48dff581505e6c7889bd18d36f496ad8d1521465f649
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE110131B042046FEB25AF799F1A62AAAD4D79575CB64087FF404F32D2D9BD9C02826C
                                                                                                                                                                                                            Function 00498416 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00498451
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Window
                                                                                                                                                                                                            • String ID: /INITPROCWND=$%x $@
                                                                                                                                                                                                            • API String ID: 2353593579-4169826103
                                                                                                                                                                                                            • Opcode ID: 3a83e6e038dbafd0e3ea01eb6dd6426255c1a8b46f58718dc6178500fe069b44
                                                                                                                                                                                                            • Instruction ID: a9318bdce5e824465d4436be78f64917a5ae5ef5b8220d929174e0d313b11457
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a83e6e038dbafd0e3ea01eb6dd6426255c1a8b46f58718dc6178500fe069b44
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF119370A082059FDB01DBA9D851BAEBBE8EF49314F11847BE504E7292EA3C99058B58
                                                                                                                                                                                                            Function 004478B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
                                                                                                                                                                                                              • Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
                                                                                                                                                                                                            • SysFreeString.OLEAUT32(?), ref: 00447966
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: String$AllocByteCharFreeMultiWide
                                                                                                                                                                                                            • String ID: NIL Interface Exception$Unknown Method
                                                                                                                                                                                                            • API String ID: 3952431833-1023667238
                                                                                                                                                                                                            • Opcode ID: ea7a85b9692c4460c5906b58765fb64bf6ee6b5f46e4d7caecedcff591b2af5e
                                                                                                                                                                                                            • Instruction ID: 10ddd43a001eab7360299ad3f405319ab988bcee1c7d5b08318f9ee426dd8228
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ea7a85b9692c4460c5906b58765fb64bf6ee6b5f46e4d7caecedcff591b2af5e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9211E9716042089FEB10EFA58D51A6FBBBDEB09304F91403AF500F7281C7789D01C769
                                                                                                                                                                                                            Function 00497C88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNEL32 ref: 00497CF6
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00498718,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00497D50,?,00497D44,00000000), ref: 00497D0D
                                                                                                                                                                                                              • Part of subcall function 00497BE0: GetLastError.KERNEL32(00000000,00497C78,?,?,?,?), ref: 00497C04
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateErrorHandleLastProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 3798668922-2746444292
                                                                                                                                                                                                            • Opcode ID: a880bfa9a77c93c91fa9ab75ae7060b7f78cb32e3cfe05dc5138aae6885ad4e0
                                                                                                                                                                                                            • Instruction ID: a89f5070db7a5e6d261d16ca7c1b7ea99db6432e353ebe52f8e4aa70fd7af1a9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a880bfa9a77c93c91fa9ab75ae7060b7f78cb32e3cfe05dc5138aae6885ad4e0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1001A1B0608248AFDB00DBA5DC42FAF7BACDF09704F60013BF504E72C1E6785E008668
                                                                                                                                                                                                            Function 004535CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(00000000,?,00000000,0045362D,?,?,-00000001,?), ref: 00453607
                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,0045362D,?,?,-00000001,?), ref: 0045360F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AttributesErrorFileLast
                                                                                                                                                                                                            • String ID: @8H
                                                                                                                                                                                                            • API String ID: 1799206407-3762495883
                                                                                                                                                                                                            • Opcode ID: 65c44507f9335e4e2a077e4ee2190135d3d5d768f820153090acd923ffb3f295
                                                                                                                                                                                                            • Instruction ID: 2a718f5fbeded0ca4f0ca1a684ecb9b724474f3cd93569f9f0dcaab09f3de9c7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65c44507f9335e4e2a077e4ee2190135d3d5d768f820153090acd923ffb3f295
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 49F0F971A04204BBCB10DF7AAC4249EF7ECDB49362711457BFC14D3342E6784E088598
                                                                                                                                                                                                            Function 004998EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 0047E3D0: FreeLibrary.KERNEL32(00000000,00482E1B), ref: 0047E3E6
                                                                                                                                                                                                              • Part of subcall function 0047E0A8: GetTickCount.KERNEL32 ref: 0047E0F2
                                                                                                                                                                                                              • Part of subcall function 00457A90: SendMessageA.USER32 ref: 00457AAF
                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,0049A243), ref: 00499941
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,0049A243), ref: 00499947
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Detected restart. Removing temporary directory., xrefs: 004998FB
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                                                                                                                                                                            • String ID: Detected restart. Removing temporary directory.
                                                                                                                                                                                                            • API String ID: 1717587489-3199836293
                                                                                                                                                                                                            • Opcode ID: cf4eeb9d2890f889123e5d43942b6b9d65dcdfa64d28096ccc0edee5f77a06bc
                                                                                                                                                                                                            • Instruction ID: 3ff60914118e938cb0b4ccf38de38d34f2fcffefe5e82e60aedbfe03ba6cc694
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf4eeb9d2890f889123e5d43942b6b9d65dcdfa64d28096ccc0edee5f77a06bc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7DE0E5B12086446EDE1277AB6C1796B3F8CD74A76CB11447FF80491652E82D4C108A3D
                                                                                                                                                                                                            Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000,0049A49E), ref: 0040334B
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32(00000000,0049A49E), ref: 00403356
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CommandHandleLineModule
                                                                                                                                                                                                            • String ID: 07w
                                                                                                                                                                                                            • API String ID: 2123368496-2236381225
                                                                                                                                                                                                            • Opcode ID: 4c2fff2b42c352919ceac1b40f57867521b0a3bfc58f22e25f1018fd897ed554
                                                                                                                                                                                                            • Instruction ID: 62cda813ad8590bce7ae974c015f7103e9ff33e1479b40d519804c4e019ae8dd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4c2fff2b42c352919ceac1b40f57867521b0a3bfc58f22e25f1018fd897ed554
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 26C00260D012059AE750AFB6A846B152A94A75934DF8044BFB104BA2E2DA7C82066BDE
                                                                                                                                                                                                            Function 00455E10 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000E.00000002.1884901862.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1884857488.0000000000400000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885184163.000000000049B000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885225353.000000000049C000.00000008.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885255474.000000000049D000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000E.00000002.1885312733.00000000004AD000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_14_2_400000_rdmappweb-4.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLastSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1458359878-0
                                                                                                                                                                                                            • Opcode ID: 162f6e589a9a3ecbf727cd3144cb36b5133ad9a431805f826c669b7668a8d72d
                                                                                                                                                                                                            • Instruction ID: 0e0098d5c51f6c3332c54b3c49cab550602dc5c9badc8da443834b62d3c24bba
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 162f6e589a9a3ecbf727cd3144cb36b5133ad9a431805f826c669b7668a8d72d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BCF02B32F00914E74F30A76AA88393F628CDA417A6720012BFC04DB303D53CDE0586A8

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:0.6%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:4%
                                                                                                                                                                                                            Total number of Nodes:552
                                                                                                                                                                                                            Total number of Limit Nodes:48
                                                                                                                                                                                                            execution_graph 83223 6f82dca0 83236 6f81d810 83223->83236 83225 6f82dcb2 83226 6f82dcb6 83225->83226 83227 6f82dcbe RegOpenKeyExA 83225->83227 83227->83226 83228 6f82dcda RegQueryValueExA 83227->83228 83229 6f82dd4e RegCloseKey 83228->83229 83230 6f82dcff 83228->83230 83232 6f82dd59 83229->83232 83231 6f82dd21 mprAllocFast 83230->83231 83233 6f82dd0d RegCloseKey 83230->83233 83231->83232 83234 6f82dd35 RegQueryValueExA 83231->83234 83234->83229 83235 6f82dd62 RegCloseKey 83234->83235 83237 6f81d82e strchr 83236->83237 83239 6f81d955 83237->83239 83240 6f81d879 83237->83240 83241 6f8391ce 7 API calls 83239->83241 83240->83239 83242 6f81d88d scaselesscmp 83240->83242 83243 6f81d965 83241->83243 83244 6f81d8a6 scaselesscmp 83242->83244 83247 6f81d8fa 83242->83247 83243->83225 83245 6f81d8bb scaselesscmp 83244->83245 83244->83247 83246 6f81d8d0 scaselesscmp 83245->83246 83245->83247 83246->83247 83248 6f81d8e5 scaselesscmp 83246->83248 83252 6f8391ce 83247->83252 83248->83247 83250 6f81d902 scaselesscmp 83248->83250 83250->83239 83250->83247 83251 6f81d94e 83251->83225 83253 6f8391d6 83252->83253 83254 6f8391d8 IsDebuggerPresent _crt_debugger_hook SetUnhandledExceptionFilter UnhandledExceptionFilter 83252->83254 83253->83251 83256 6f839a03 _crt_debugger_hook 83254->83256 83257 6f839a0b GetCurrentProcess TerminateProcess 83254->83257 83256->83257 83257->83251 83258 6f8249c0 83259 6f8249ca 83258->83259 83260 6f824a74 fmt RegCreateKeyExA 83259->83260 83261 6f824b3e RegisterEventSourceA 83259->83261 83260->83261 83264 6f824acf RegSetValueExA 83260->83264 83262 6f824b74 83261->83262 83263 6f824b54 ReportEventA DeregisterEventSource 83261->83263 83265 6f8391ce 7 API calls 83262->83265 83263->83262 83266 6f824b11 RegSetValueExA 83264->83266 83267 6f824aef RegCloseKey 83264->83267 83269 6f824b84 83265->83269 83266->83267 83268 6f824b33 RegCloseKey 83266->83268 83270 6f8391ce 7 API calls 83267->83270 83268->83261 83271 6f824b0a 83270->83271 83272 6f8296e0 83273 6f82970a 83272->83273 83274 6f8296e9 83272->83274 83275 6f829718 83273->83275 83276 6f82973c 83273->83276 83274->83273 83277 6f8296fe EnterCriticalSection 83274->83277 83278 6f82991a 83275->83278 83279 6f82972d LeaveCriticalSection 83275->83279 83280 6f82974f LeaveCriticalSection 83276->83280 83282 6f829761 mprGetTicks 83276->83282 83277->83273 83280->83282 83283 6f8297e0 83282->83283 83284 6f82980f 83282->83284 83285 6f8297e9 83283->83285 83286 6f8298ec 83283->83286 83287 6f829827 83284->83287 83288 6f829819 mprTraceProc 83284->83288 83289 6f829802 mprError 83285->83289 83290 6f8297f4 mprTraceProc 83285->83290 83291 6f8298f7 mprTraceProc 83286->83291 83292 6f829905 exit 83286->83292 83295 6f829859 mprWakeDispatchers 83287->83295 83296 6f82983e mprCreateEvent 83287->83296 83288->83287 83289->83284 83290->83289 83291->83292 83293 6f82990c 83292->83293 83293->83278 83294 6f829913 LeaveCriticalSection 83293->83294 83294->83278 83297 6f82986f 83295->83297 83301 6f82988a 83295->83301 83296->83295 83298 6f829876 PostMessageA 83297->83298 83297->83301 83298->83301 83299 6f8298ad EnterCriticalSection 83299->83301 83300 6f8298c7 LeaveCriticalSection 83300->83301 83301->83278 83301->83293 83301->83299 83301->83300 83302 6f82a3e0 83303 6f82a3f0 83302->83303 83304 6f82a41a mprDoWaitRecall 83303->83304 83305 6f82a42d mprGetCurrentThread 83303->83305 83306 6f82a451 mprError 83305->83306 83307 6f82a439 83305->83307 83308 6f82a44a 83307->83308 83309 6f82a43e mprCreateWindow 83307->83309 83308->83306 83310 6f82a469 mprYield SetTimer GetMessageA 83308->83310 83309->83308 83311 6f82a48f mprResetYield mprShutdown 83310->83311 83312 6f82a4ad mprResetYield TranslateMessage DispatchMessageA 83310->83312 83313 6f838a80 _time64 srand InitializeCriticalSectionAndSpinCount mprCreateMemService 83314 6f838dd1 83313->83314 83315 6f838aea gettimeofday 83313->83315 83316 6f8391ce 7 API calls 83314->83316 83317 6f838b29 83315->83317 83318 6f838de4 83316->83318 83350 6f82b1e0 83317->83350 83321 6f82b1e0 12 API calls 83322 6f838b61 mprCreateHash 83321->83322 83324 6f838ba0 mprCreateList mprCreateHash mprCreateFileSystem 83322->83324 83325 6f838ba4 83322->83325 83370 6f835490 83324->83370 83407 6f82e980 15 API calls 83325->83407 83332 6f82b1e0 12 API calls 83333 6f838c43 8 API calls 83332->83333 83335 6f838cb8 83333->83335 83336 6f82b1e0 12 API calls 83335->83336 83337 6f838ce6 83336->83337 83338 6f838d03 mprCreateCond mprCreateDispatcher mprCreateDispatcher 83337->83338 83339 6f838cf4 memcpy 83337->83339 83340 6f838d76 mprStartEventsThread 83338->83340 83341 6f838d45 83338->83341 83339->83338 83342 6f838d6e 83340->83342 83341->83342 83343 6f838d4a mprGetCurrentThread 83341->83343 83345 6f838d81 mprStartGCService 83342->83345 83346 6f838d86 83342->83346 83343->83342 83344 6f838d62 mprCreateWindow 83343->83344 83344->83342 83345->83346 83346->83314 83347 6f838db7 83346->83347 83348 6f8391ce 7 API calls 83347->83348 83349 6f838dca 83348->83349 83353 6f82b1f2 83350->83353 83351 6f82b551 83352 6f82b299 TryEnterCriticalSection 83352->83353 83353->83351 83353->83352 83354 6f82b2fd LeaveCriticalSection 83353->83354 83361 6f82b3da LeaveCriticalSection 83353->83361 83354->83353 83356 6f82b473 83357 6f82b480 83356->83357 83358 6f82b479 EnterCriticalSection 83356->83358 83359 6f82b495 LeaveCriticalSection 83357->83359 83360 6f82b49c 83357->83360 83358->83357 83359->83360 83364 6f82b4b4 83360->83364 83408 6f81db80 TryEnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 83360->83408 83361->83356 83361->83357 83363 6f82b547 83363->83321 83364->83363 83365 6f82b526 83364->83365 83366 6f82b51f EnterCriticalSection 83364->83366 83367 6f82b539 83365->83367 83368 6f82b52d SetEvent 83365->83368 83366->83365 83367->83363 83369 6f82b540 LeaveCriticalSection 83367->83369 83368->83367 83369->83363 83371 6f8354a1 83370->83371 83372 6f8355a7 83370->83372 83373 6f8354a6 strstr 83371->83373 83374 6f8354fd mprAllocMem memcpy 83371->83374 83375 6f82b1e0 12 API calls 83372->83375 83373->83374 83376 6f8354bc 83373->83376 83377 6f83551d mprIsPathAbs 83374->83377 83378 6f8355ae mprAllocMem 83375->83378 83379 6f8354e1 mprMakeArgv 83376->83379 83380 6f8354c8 sjoin 83376->83380 83381 6f835532 mprGetAppPath 83377->83381 83382 6f835541 mprGetAppPath 83377->83382 83384 6f8355f6 mprGetPathBase mprTrimPathExt stitle stitle sfmt 83378->83384 83379->83377 83380->83379 83380->83380 83381->83384 83387 6f83554c 83382->83387 83385 6f82b1e0 12 API calls 83384->83385 83386 6f835636 mprCreateTimeService 83385->83386 83392 6f82db60 mprCreateHash 83386->83392 83388 6f82b1e0 12 API calls 83387->83388 83389 6f83557a 83388->83389 83390 6f835581 83389->83390 83391 6f835591 memcpy 83389->83391 83390->83384 83391->83390 83393 6f82dba0 83392->83393 83394 6f82db88 mprAddKey 83392->83394 83395 6f82dbc8 83393->83395 83396 6f82dbb0 mprAddKey 83393->83396 83394->83393 83394->83394 83397 6f82dbd6 mprAddKey 83395->83397 83398 6f82dbee 83395->83398 83396->83395 83396->83396 83397->83397 83397->83398 83399 6f82dc18 83398->83399 83400 6f82dc00 mprAddKey 83398->83400 83401 6f82dc26 mprAddKey 83399->83401 83403 6f82dc3e 83399->83403 83400->83399 83400->83400 83401->83401 83401->83403 83402 6f82dc68 83404 6f82dc76 mprAddKey 83402->83404 83405 6f82dc8e mprCreateSpinLock mprCreateSpinLock 83402->83405 83403->83402 83406 6f82dc50 mprAddKey 83403->83406 83404->83404 83404->83405 83405->83332 83406->83402 83406->83406 83407->83324 83408->83364 83409 6f8ac789 83410 6f8ac799 83409->83410 83411 6f8ac7ad 83409->83411 83488 6f8607b5 77 API calls __fcvt 83410->83488 83430 6f86067b TlsGetValue 83411->83430 83414 6f8ac79e 83489 6f8daeae 11 API calls __invalid_parameter_noinfo_noreturn 83414->83489 83419 6f8ac810 83490 6f86014e 77 API calls 2 library calls 83419->83490 83423 6f8ac816 83425 6f8ac7a9 83423->83425 83491 6f86ab0f 77 API calls 3 library calls 83423->83491 83426 6f8ac7d5 CreateThread 83426->83425 83429 6f8ac808 GetLastError 83426->83429 83554 6f8ac724 83426->83554 83429->83419 83431 6f860694 83430->83431 83432 6f86211c DecodePointer TlsSetValue 83430->83432 83433 6f861ee1 83431->83433 83436 6f861eea 83433->83436 83435 6f861f04 83435->83419 83439 6f8606c7 83435->83439 83436->83435 83437 6f88f1d8 Sleep 83436->83437 83492 6f860b4e 83436->83492 83438 6f861f0a 83437->83438 83438->83435 83438->83436 83503 6f860698 GetLastError 83439->83503 83441 6f8606cf 83442 6f8606d9 83441->83442 83531 6f8ac0df 77 API calls 3 library calls 83441->83531 83475 6f86215f 83442->83475 83535 6f860c80 83475->83535 83477 6f86216b GetModuleHandleW 83478 6f860c43 _ctrlevent_capture@4 75 API calls 83477->83478 83479 6f8621a9 InterlockedIncrement 83478->83479 83536 6f862228 83479->83536 83482 6f860c43 _ctrlevent_capture@4 75 API calls 83483 6f8621ca 83482->83483 83539 6f861f13 InterlockedIncrement 83483->83539 83485 6f8621e8 83549 6f862156 83485->83549 83487 6f8621f5 __gets_helper 83487->83426 83488->83414 83489->83425 83490->83423 83491->83425 83493 6f860b5a 83492->83493 83499 6f860b6a 83492->83499 83494 6f88f3df 83493->83494 83493->83499 83501 6f8607b5 77 API calls __fcvt 83494->83501 83495 6f860b84 HeapAlloc 83495->83499 83500 6f860b9b 83495->83500 83497 6f88f3e4 83497->83436 83499->83495 83499->83500 83502 6f8ab7af DecodePointer 83499->83502 83500->83436 83501->83497 83502->83499 83504 6f86067b __threadstartex@4 3 API calls 83503->83504 83505 6f8606af 83504->83505 83506 6f8606bb SetLastError 83505->83506 83507 6f861ee1 _match 73 API calls 83505->83507 83506->83441 83508 6f8875bc 83507->83508 83508->83506 83509 6f8875c8 DecodePointer 83508->83509 83510 6f8875dd 83509->83510 83511 6f8875fc 83510->83511 83512 6f8875e1 83510->83512 83532 6f86014e 77 API calls 2 library calls 83511->83532 83513 6f86215f __fcvt 73 API calls 83512->83513 83515 6f8875e9 GetCurrentThreadId 83513->83515 83515->83506 83516 6f887602 83516->83506 83532->83516 83535->83477 83552 6f860c67 LeaveCriticalSection 83536->83552 83538 6f8621c3 83538->83482 83540 6f861f35 83539->83540 83541 6f862ac3 InterlockedIncrement 83539->83541 83542 6f862acb InterlockedIncrement 83540->83542 83543 6f862ad3 InterlockedIncrement 83540->83543 83544 6f862abb InterlockedIncrement 83540->83544 83546 6f861f5f 83540->83546 83541->83542 83542->83543 83543->83546 83544->83541 83545 6f89072d InterlockedIncrement 83545->83546 83546->83545 83547 6f861f84 InterlockedIncrement 83546->83547 83548 6f861f9d InterlockedIncrement 83546->83548 83547->83485 83548->83546 83553 6f860c67 LeaveCriticalSection 83549->83553 83551 6f86215d 83551->83487 83552->83538 83553->83551 83555 6f86067b __threadstartex@4 3 API calls 83554->83555 83556 6f8ac72f __threadstartex@4 83555->83556 83569 6f8ac832 TlsGetValue 83556->83569 83559 6f8ac768 83571 6f862423 83559->83571 83560 6f8ac73e __threadstartex@4 83615 6f8ac852 DecodePointer 83560->83615 83562 6f8ac783 83607 6f8ac6c3 83562->83607 83566 6f8ac74d 83567 6f8ac75e GetCurrentThreadId 83566->83567 83568 6f8ac751 GetLastError ExitThread 83566->83568 83567->83562 83570 6f8ac73a 83569->83570 83570->83559 83570->83560 83585 6f86242f __gets_helper 83571->83585 83572 6f86d0ea 83592 6f88766e 83572->83592 83593 6f8624b7 83572->83593 83620 6f86014e 77 API calls 2 library calls 83572->83620 83573 6f88761a 83621 6f86014e 77 API calls 2 library calls 83573->83621 83575 6f8624fe __gets_helper 83575->83562 83577 6f887626 83622 6f86014e 77 API calls 2 library calls 83577->83622 83578 6f887632 83623 6f86014e 77 API calls 2 library calls 83578->83623 83581 6f88763e 83624 6f86014e 77 API calls 2 library calls 83581->83624 83583 6f88764a 83625 6f86014e 77 API calls 2 library calls 83583->83625 83585->83572 83585->83573 83585->83575 83585->83577 83585->83578 83585->83581 83585->83583 83586 6f887656 83585->83586 83588 6f887662 83585->83588 83590 6f860c43 _ctrlevent_capture@4 77 API calls 83585->83590 83626 6f86014e 77 API calls 2 library calls 83586->83626 83627 6f86014e 77 API calls 2 library calls 83588->83627 83591 6f86249c 83590->83591 83591->83593 83594 6f8624a8 InterlockedDecrement 83591->83594 83628 6f86014e 77 API calls 2 library calls 83592->83628 83616 6f862530 LeaveCriticalSection __wdupenv_s 83593->83616 83594->83572 83594->83593 83596 6f8624c3 83598 6f860c43 _ctrlevent_capture@4 77 API calls 83596->83598 83599 6f8624ca 83598->83599 83606 6f8624ec 83599->83606 83617 6f862337 8 API calls 83599->83617 83602 6f8624f8 83619 6f86014e 77 API calls 2 library calls 83602->83619 83604 6f8624df 83604->83606 83629 6f86a415 77 API calls 4 library calls 83604->83629 83618 6f86241a LeaveCriticalSection __wdupenv_s 83606->83618 83608 6f8ac6cf __gets_helper 83607->83608 83609 6f8606c7 ____mb_cur_max_func 77 API calls 83608->83609 83610 6f8ac6d4 83609->83610 83630 6f8ac6a4 83610->83630 83612 6f8ac6e4 83613 6f8db7c9 __XcptFilter 77 API calls 83612->83613 83614 6f8ac6f5 83613->83614 83615->83566 83616->83596 83617->83604 83618->83602 83619->83575 83620->83573 83621->83577 83622->83578 83623->83581 83624->83583 83625->83586 83626->83588 83627->83592 83628->83593 83629->83606 83631 6f860698 __fcvt 77 API calls 83630->83631 83632 6f8ac6ae 83631->83632 83633 6f8ac6b9 ExitThread 83632->83633 83636 6f862539 82 API calls __threadstartex@4 83632->83636 83635 6f8ac6b8 83635->83633 83636->83635 83637 6f830100 GetSystemInfo 83638 6f830134 VirtualAlloc 83637->83638 83640 6f830177 memset mprVirtAlloc 83638->83640 83641 6f83016f 83638->83641 83642 6f8301d0 83640->83642 83643 6f8301d9 getenv scmp 83640->83643 83644 6f8302e4 83643->83644 83649 6f819c60 InitializeCriticalSectionAndSpinCount 83644->83649 83646 6f8302fb 83650 6f81db80 TryEnterCriticalSection LeaveCriticalSection EnterCriticalSection LeaveCriticalSection 83646->83650 83648 6f830307 mprCreateCond mprCreateList mprAddItem 83649->83646 83650->83648 83651 702874 83673 702df0 83651->83673 83653 702880 GetStartupInfoW 83654 7028a2 83653->83654 83655 702897 HeapSetInformation 83653->83655 83656 7028b6 InterlockedCompareExchange 83654->83656 83657 7028c7 83654->83657 83658 7028cf Sleep 83654->83658 83655->83654 83656->83654 83656->83657 83659 7028f2 83657->83659 83660 7028e8 _amsg_exit 83657->83660 83658->83656 83661 702927 83659->83661 83662 7028fb _initterm_e 83659->83662 83660->83661 83663 702951 83661->83663 83664 702936 _initterm 83661->83664 83662->83661 83666 702916 __onexit 83662->83666 83665 702956 InterlockedExchange 83663->83665 83668 70295e __IsNonwritableInCurrentImage 83663->83668 83664->83663 83665->83668 83667 7029e7 _ismbblead 83667->83668 83668->83667 83670 7029d1 exit 83668->83670 83671 702a2d 83668->83671 83674 702350 6 API calls 83668->83674 83670->83668 83671->83666 83672 702a35 _cexit 83671->83672 83672->83666 83673->83653 83694 701a80 sclone sclone mprGetAppDir sjoin 83674->83694 83676 7023c6 mprSetLogHandler mprSetWinMsgCallback 83677 702752 stitle sfmt mprStart 83676->83677 83684 7023f0 83676->83684 83678 70277b mprGetAppName mprError mprDestroy 83677->83678 83679 7027cf 83677->83679 83678->83668 83680 7027d3 83679->83680 83681 7027f4 83679->83681 83695 7021e0 86 API calls 83680->83695 83686 702815 mprDestroy 83681->83686 83696 7021e0 86 API calls 83681->83696 83684->83677 83687 7027a2 mprGetAppName mprEprintf 83684->83687 83688 702559 atoi 83684->83688 83689 7025b4 sclone 83684->83689 83690 702605 sclone mprStartLogging mprSetCmdlineLogging 83684->83690 83691 702671 sclone 83684->83691 83692 7026c2 sclone 83684->83692 83693 702739 mprSetLogLevel 83684->83693 83685 7027dd mprDestroy 83685->83668 83686->83668 83687->83668 83688->83684 83689->83684 83690->83684 83691->83684 83692->83684 83693->83684 83694->83676 83695->83685 83696->83681 83697 6f878040 83700 6f877ec4 83697->83700 83699 6f878051 83701 6f877ed0 __gets_helper 83700->83701 83702 6f877ed7 83701->83702 83703 6f877ee4 83701->83703 83736 6f877e18 GetModuleHandleW 83702->83736 83704 6f860c43 _ctrlevent_capture@4 72 API calls 83703->83704 83706 6f877eeb 83704->83706 83708 6f877fb4 83706->83708 83710 6f877f14 DecodePointer 83706->83710 83707 6f877edc 83707->83703 83739 6f877e57 GetModuleHandleW 83707->83739 83728 6f877fe0 83708->83728 83710->83708 83713 6f877f2f DecodePointer 83710->83713 83725 6f877f42 83713->83725 83715 6f877ff1 __gets_helper 83715->83699 83717 6f877fd7 83733 6f877eac 83717->83733 83722 6f877f59 DecodePointer 83738 6f86ad23 EncodePointer 83722->83738 83725->83708 83725->83722 83726 6f877f68 DecodePointer DecodePointer 83725->83726 83727 6f887410 83725->83727 83737 6f86ad23 EncodePointer 83725->83737 83726->83725 83726->83727 83729 6f877fe7 83728->83729 83730 6f877fc0 83728->83730 83743 6f860c67 LeaveCriticalSection 83729->83743 83730->83715 83732 6f860c67 LeaveCriticalSection 83730->83732 83732->83717 83734 6f877e57 ___crtCorExitProcess 2 API calls 83733->83734 83735 6f877eb9 ExitProcess 83734->83735 83736->83707 83737->83725 83738->83725 83740 6f877e80 83739->83740 83741 6f877e6b GetProcAddress 83739->83741 83740->83703 83741->83740 83742 6f877e7b 83741->83742 83742->83740 83743->83730 83744 6f82a890 83746 6f82a8a7 83744->83746 83745 6f82a8f5 VirtualAlloc 83749 6f82a925 83745->83749 83750 6f82a92d 83745->83750 83746->83745 83752 6f82a1d0 21 API calls 83746->83752 83753 6f82a1d0 21 API calls 83749->83753 83752->83745 83753->83750 83754 6f821330 83755 6f821339 83754->83755 83756 6f82134d _beginthreadex 83754->83756 83755->83756 83760 6f821346 EnterCriticalSection 83755->83760 83757 6f821384 83756->83757 83761 6f82136b 83756->83761 83758 6f821394 LeaveCriticalSection 83757->83758 83759 6f82139b 83757->83759 83758->83759 83760->83756 83762 6f82137d 83761->83762 83763 6f821376 LeaveCriticalSection 83761->83763 83763->83762 83764 6f829d50 83765 6f829d67 mprCreateWindowClass 83764->83765 83766 6f829d8b CreateWindowExA 83764->83766 83765->83766 83769 6f829d79 mprError 83765->83769 83767 6f829dc8 83766->83767 83768 6f829db9 mprError 83766->83768 83768->83767 83770 6f834cd0 83771 6f834cf5 83770->83771 83772 6f82b1e0 12 API calls 83771->83772 83773 6f834d07 83772->83773 83774 6f834d21 memset 83773->83774 83775 6f834d0e 83773->83775 83774->83775 83776 6f834d69 83775->83776 83796 6f8329e0 83775->83796 83777 6f8391ce 7 API calls 83776->83777 83779 6f834d7a 83777->83779 83780 6f834d94 83780->83776 83781 6f834d9a mprCreateSpinLock 83780->83781 83781->83776 83782 6f834da6 gethostname 83781->83782 83783 6f834df0 strchr scopy 83782->83783 83784 6f834dcf scopy mprError 83782->83784 83785 6f834e3a 83783->83785 83786 6f834e1e scopy 83783->83786 83784->83783 83787 6f834e3d mprSetServerName mprSetDomainName mprSetHostName mprCreateList socket 83785->83787 83786->83787 83788 6f834e82 closesocket 83787->83788 83789 6f834ea8 83787->83789 83790 6f8391ce 7 API calls 83788->83790 83791 6f834ec3 83789->83791 83792 6f834eb4 mprTraceProc 83789->83792 83793 6f834ea1 83790->83793 83794 6f8391ce 7 API calls 83791->83794 83792->83791 83795 6f834ed4 83794->83795 83797 6f8329f1 83796->83797 83798 6f82b1e0 12 API calls 83797->83798 83799 6f832a03 83798->83799 83800 6f832a1d memset 83799->83800 83801 6f832a0a 83799->83801 83800->83801 83802 6f832a65 83801->83802 83803 6f82b1e0 12 API calls 83801->83803 83802->83780 83804 6f832a70 83803->83804 83804->83780 83805 701bc5 OpenSCManagerA 83806 701be2 mprError 83805->83806 83807 701bf3 OpenServiceA 83805->83807 83808 701c10 CloseServiceHandle mprError 83807->83808 83809 701c29 83807->83809 83822 701b20 FindWindowA PostMessageA mprSleep FindWindowA TerminateProcess 83809->83822 83811 701c33 ControlService 83812 701cae 83811->83812 83813 701c4e mprSleep QueryServiceStatus 83811->83813 83816 701cb5 DeleteService 83812->83816 83817 701cd9 CloseServiceHandle CloseServiceHandle 83812->83817 83814 701c70 83813->83814 83815 701c94 83813->83815 83814->83815 83818 701c79 mprSleep QueryServiceStatus 83814->83818 83815->83812 83819 701c9e GetLastError mprError 83815->83819 83816->83817 83820 701cc0 GetLastError 83816->83820 83818->83814 83818->83815 83819->83812 83820->83817 83821 701cc9 GetLastError mprError 83820->83821 83821->83817 83822->83811 83823 6f829998 83826 6f8299a0 83823->83826 83824 6f8299cd mprWaitForCond mprGetTicks 83824->83826 83825 6f8299b3 PostMessageA 83825->83824 83826->83824 83826->83825 83828 6f829a2f 83826->83828 83827 6f829ab3 83830 6f829adf 83827->83830 83838 6f829ad2 EnterCriticalSection 83827->83838 83828->83827 83829 6f829a56 83828->83829 83841 6f829a7a 83828->83841 83831 6f829a6b mprCancelShutdown 83829->83831 83832 6f829a5c mprTraceProc 83829->83832 83834 6f829ae8 83830->83834 83835 6f829b0c 83830->83835 83832->83831 83833 6f829aa0 exit 83833->83827 83836 6f829b02 83834->83836 83839 6f829af5 LeaveCriticalSection 83834->83839 83837 6f829b38 83835->83837 83840 6f829b29 LeaveCriticalSection 83835->83840 83843 6f829bb4 mprStopWorkers mprClearList mprStopModuleService mprDestroyEventService 83837->83843 83846 6f829b57 EnterCriticalSection 83837->83846 83847 6f829baa 83837->83847 83850 6f829b77 LeaveCriticalSection 83837->83850 83838->83830 83839->83836 83840->83837 83841->83833 83842 6f829a99 exit 83841->83842 83842->83833 83844 6f829be0 mprGC 83843->83844 83845 6f829bee 83844->83845 83851 6f829bf4 83844->83851 83845->83844 83845->83851 83846->83837 83847->83843 83848 6f829bb1 LeaveCriticalSection 83847->83848 83848->83843 83849 6f829c28 mprStopModuleService mprStopGCService WSACleanup 83853 6f829c52 83849->83853 83854 6f829c45 mprError 83849->83854 83850->83837 83851->83849 83852 6f829c1d mprTraceProc 83851->83852 83852->83849 83854->83853 83855 6f8620fc 83856 6f86bd90 83855->83856 83857 6f86210b 83855->83857 83915 6f86bd9a GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 83856->83915 83862 6f86203f 83857->83862 83860 6f862116 83861 6f86bd95 83863 6f86204b __gets_helper 83862->83863 83864 6f862057 83863->83864 83865 6f86b235 83863->83865 83867 6f878065 83864->83867 83868 6f862061 83864->83868 83916 6f86ad05 HeapCreate 83865->83916 83873 6f887448 _cexit 83867->83873 83874 6f878082 83867->83874 83884 6f87809c 83867->83884 83870 6f8625a7 83868->83870 83871 6f86206a 83868->83871 83869 6f86b23a 83872 6f86b242 83869->83872 83869->83884 83886 6f8620d1 __gets_helper 83870->83886 83917 6f862539 82 API calls __threadstartex@4 83870->83917 83875 6f86067b __threadstartex@4 3 API calls 83871->83875 83918 6f86b398 97 API calls 3 library calls 83872->83918 83883 6f887452 83873->83883 83924 6f877ffb _initterm _initterm 83874->83924 83879 6f86206f TlsGetValue 83875->83879 83888 6f862083 83879->83888 83881 6f86b247 83881->83884 83919 6f86ad86 84 API calls _match 83881->83919 83882 6f878087 83882->83883 83885 6f878090 83882->83885 83929 6f8d6ca8 78 API calls __wexecve 83883->83929 83926 6f8d6ca8 78 API calls __wexecve 83884->83926 83927 6f8d65ea HeapDestroy 83884->83927 83928 6f8ac4bd 81 API calls __wexecve 83884->83928 83925 6f8780a1 81 API calls 83885->83925 83886->83860 83888->83886 83894 6f861ee1 _match 77 API calls 83888->83894 83892 6f887457 83930 6f8ac4bd 81 API calls __wexecve 83892->83930 83898 6f862093 83894->83898 83896 6f86b254 83896->83884 83920 6f86aeae 82 API calls 2 library calls 83896->83920 83897 6f88745c 83931 6f8d65ea HeapDestroy 83897->83931 83898->83884 83900 6f86209f DecodePointer 83898->83900 83904 6f8620b4 83900->83904 83902 6f887461 83932 6f86014e 77 API calls 2 library calls 83902->83932 83903 6f86b261 GetCommandLineA GetCommandLineW 83921 6f86b22a _setmbcp 83903->83921 83904->83902 83906 6f8620bc 83904->83906 83910 6f86215f __fcvt 77 API calls 83906->83910 83907 6f86b281 83922 6f86b2a9 77 API calls 4 library calls 83907->83922 83912 6f8620c3 GetCurrentThreadId 83910->83912 83911 6f86b286 83911->83884 83923 6f86b976 89 API calls shared_ptr 83911->83923 83912->83886 83914 6f86b295 83914->83867 83914->83884 83915->83861 83916->83869 83917->83886 83918->83881 83919->83896 83920->83903 83921->83907 83922->83911 83923->83914 83924->83882 83925->83884 83926->83884 83927->83884 83928->83884 83929->83892 83930->83897 83931->83902 83932->83884

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00701BC5 Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 100serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00701BD6
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot open service manager), ref: 00701BE7
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00701C04
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00701C11
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot open service), ref: 00701C1C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Cannot delete service: 0x%x, xrefs: 00701CCC
                                                                                                                                                                                                            • Cannot open service, xrefs: 00701C17
                                                                                                                                                                                                            • Cannot open service manager, xrefs: 00701BE2
                                                                                                                                                                                                            • Cannot stop service: 0x%x, xrefs: 00701CA1
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1873802646.0000000000701000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00700000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1873758637.0000000000700000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1873824855.0000000000704000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1873853184.0000000000707000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_700000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorOpenService$CloseHandleManager
                                                                                                                                                                                                            • String ID: Cannot delete service: 0x%x$Cannot open service$Cannot open service manager$Cannot stop service: 0x%x
                                                                                                                                                                                                            • API String ID: 261947648-2492110048
                                                                                                                                                                                                            • Opcode ID: f5297a28ef20a104d5f7dc79515ecb98b23965b7532df343b69a694ecfa1a491
                                                                                                                                                                                                            • Instruction ID: 087453f77b091b2e0fa099186df916b1ae507788466c565c06f033a495ab9559
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f5297a28ef20a104d5f7dc79515ecb98b23965b7532df343b69a694ecfa1a491
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 892102F1BC0301F7E62067A0AC4AF6B33DC9B0170AF044360FB04A21C1EEAED95585BA
                                                                                                                                                                                                            Function 6F838A80 Relevance: 54.5, APIs: 28, Strings: 3, Instructions: 249servicethreadtimeCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 0 6f838a80-6f838ae4 _time64 srand InitializeCriticalSectionAndSpinCount mprCreateMemService 1 6f838dd1-6f838dea call 6f8391ce 0->1 2 6f838aea-6f838b45 gettimeofday call 6f8392c0 call 6f82b1e0 0->2 9 6f838b47-6f838b49 2->9 10 6f838b4b-6f838b50 2->10 11 6f838b54-6f838b66 call 6f82b1e0 9->11 10->11 12 6f838b52 10->12 15 6f838b68-6f838b6a 11->15 16 6f838b6c-6f838b71 11->16 12->11 17 6f838b7e-6f838b9e mprCreateHash 15->17 16->17 18 6f838b73-6f838b7b 16->18 19 6f838ba0-6f838ba2 17->19 20 6f838ba4-6f838baa call 6f82e980 17->20 18->17 21 6f838bad-6f838c0e mprCreateList mprCreateHash mprCreateFileSystem call 6f835490 mprCreateTimeService call 6f82db60 19->21 20->21 27 6f838c13-6f838c48 mprCreateSpinLock * 2 call 6f82b1e0 21->27 30 6f838c4a-6f838c4c 27->30 31 6f838c4e 27->31 32 6f838c51-6f838cb6 mprCreateThreadService mprCreateModuleService mprCreateEventService mprCreateCmdService mprCreateWorkerService mprCreateWaitService mprCreateSocketService getenv 30->32 31->32 33 6f838cb8 32->33 34 6f838cbd-6f838cbf 32->34 33->34 35 6f838cc2-6f838cc7 34->35 35->35 36 6f838cc9-6f838cd3 35->36 37 6f838cd5 36->37 38 6f838cda-6f838ceb call 6f82b1e0 36->38 37->38 41 6f838d03-6f838d43 mprCreateCond mprCreateDispatcher * 2 38->41 42 6f838ced-6f838cf2 38->42 44 6f838d76 mprStartEventsThread 41->44 45 6f838d45-6f838d48 41->45 42->41 43 6f838cf4-6f838cff memcpy 42->43 43->41 46 6f838d7b-6f838d7f 44->46 45->46 47 6f838d4a-6f838d60 mprGetCurrentThread 45->47 50 6f838d81 mprStartGCService 46->50 51 6f838d86-6f838da7 46->51 48 6f838d62-6f838d6b mprCreateWindow 47->48 49 6f838d6e-6f838d74 47->49 48->49 49->46 50->51 51->1 52 6f838da9-6f838db5 51->52 52->1 53 6f838db7-6f838dd0 call 6f8391ce 52->53
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _time64.MSVCR100 ref: 6F838AB0
                                                                                                                                                                                                            • srand.MSVCR100 ref: 6F838AB7
                                                                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(6F8438C4,000005DC), ref: 6F838ACC
                                                                                                                                                                                                            • mprCreateMemService.LIBMPR(6F811560,?), ref: 6F838AD8
                                                                                                                                                                                                              • Part of subcall function 6F830100: GetSystemInfo.KERNELBASE(?), ref: 6F830114
                                                                                                                                                                                                              • Part of subcall function 6F830100: VirtualAlloc.KERNELBASE(00000000,00000FFF,00003000,00000004), ref: 6F83015D
                                                                                                                                                                                                            • gettimeofday.LIBMPR(?,00000000), ref: 6F838AF7
                                                                                                                                                                                                              • Part of subcall function 6F819420: GetSystemTimeAsFileTime.KERNEL32(?), ref: 6F81944E
                                                                                                                                                                                                              • Part of subcall function 6F819420: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F819467
                                                                                                                                                                                                              • Part of subcall function 6F819420: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F819483
                                                                                                                                                                                                              • Part of subcall function 6F819420: GetTimeZoneInformation.KERNEL32(?), ref: 6F8194A3
                                                                                                                                                                                                              • Part of subcall function 6F82B1E0: TryEnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6F81102F,?), ref: 6F82B2B0
                                                                                                                                                                                                              • Part of subcall function 6F82B1E0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,6F81102F,?), ref: 6F82B302
                                                                                                                                                                                                            • mprCreateHash.LIBMPR(00000043,00000010,?,00000000,00000000), ref: 6F838B92
                                                                                                                                                                                                            • mprCreateList.LIBMPR(00000000,00000020,?,?,?,?,00000000,00000000), ref: 6F838BB3
                                                                                                                                                                                                            • mprCreateHash.LIBMPR(00000000,00000000,00000000,00000020,?,?,?,?,00000000,00000000), ref: 6F838BC0
                                                                                                                                                                                                            • mprCreateFileSystem.LIBMPR(6F83BC50,00000000,00000000,00000000,00000020,?,?,?,?,00000000,00000000), ref: 6F838BD7
                                                                                                                                                                                                            • mprCreateTimeService.LIBMPR(00000202,?), ref: 6F838C08
                                                                                                                                                                                                            • mprCreateSpinLock.LIBMPR(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6F838C13
                                                                                                                                                                                                            • mprCreateSpinLock.LIBMPR(?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6F838C1E
                                                                                                                                                                                                            • mprCreateThreadService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6F838C57
                                                                                                                                                                                                            • mprCreateModuleService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6F838C62
                                                                                                                                                                                                            • mprCreateEventService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6F838C6D
                                                                                                                                                                                                            • mprCreateCmdService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6F838C78
                                                                                                                                                                                                            • mprCreateWorkerService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6F838C83
                                                                                                                                                                                                            • mprCreateWaitService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6F838C8E
                                                                                                                                                                                                            • mprCreateSocketService.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6F838C99
                                                                                                                                                                                                            • getenv.MSVCR100 ref: 6F838CA9
                                                                                                                                                                                                            • memcpy.MSVCR100(00000008,00000000,00000001), ref: 6F838CF7
                                                                                                                                                                                                            • mprCreateCond.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6F838D06
                                                                                                                                                                                                            • mprCreateDispatcher.LIBMPR(main,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6F838D18
                                                                                                                                                                                                            • mprCreateDispatcher.LIBMPR(nonblock,00000000,main,00000000), ref: 6F838D2A
                                                                                                                                                                                                            • mprGetCurrentThread.LIBMPR ref: 6F838D55
                                                                                                                                                                                                            • mprCreateWindow.LIBMPR(00000000), ref: 6F838D63
                                                                                                                                                                                                            • mprStartEventsThread.LIBMPR ref: 6F838D76
                                                                                                                                                                                                              • Part of subcall function 6F82B570: mprCreateThread.LIBMPR(events,6F82AF50,00000000,00000000), ref: 6F82B57F
                                                                                                                                                                                                            • mprStartGCService.LIBMPR ref: 6F838D81
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Create$Service$ThreadTime$CriticalSectionSpinSystem$DispatcherFileHashLockStartUnothrow_t@std@@@__ehfuncinfo$??2@$AllocCondCountCurrentEnterEventEventsInfoInformationInitializeLeaveListModuleSocketVirtualWaitWindowWorkerZone_time64getenvgettimeofdaymemcpysrand
                                                                                                                                                                                                            • String ID: PATH$main$nonblock
                                                                                                                                                                                                            • API String ID: 2973349961-3940408414
                                                                                                                                                                                                            • Opcode ID: 18cff20f1c0864662fedcd52c38e30391ec33ced9a44f4614b83b5214de16936
                                                                                                                                                                                                            • Instruction ID: 8b022bb341ca4fa133564961acf7be3d8a45fcf2adddf75d44c4fc67f43ed527
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18cff20f1c0864662fedcd52c38e30391ec33ced9a44f4614b83b5214de16936
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3C9105B3E08701AFD7109FB8984579BB6E0AF55304F044DA9D489CF2A1EB74A448CBD2
                                                                                                                                                                                                            Function 6F829920 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 246windowCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 56 6f829920-6f82992a 57 6f82994f-6f82996b 56->57 58 6f82992c-6f82994c mprShutdown 56->58 59 6f82998c-6f829990 57->59 60 6f82996d-6f82998a mprGetTicks 57->60 58->57 61 6f829996 59->61 62 6f829a37-6f829a46 59->62 60->59 63 6f8299a0-6f8299aa 61->63 70 6f829ab3-6f829abb 62->70 71 6f829a48-6f829a54 62->71 64 6f8299ac-6f8299b1 63->64 65 6f8299cd-6f8299ff mprWaitForCond mprGetTicks 63->65 64->65 67 6f8299b3-6f8299c7 PostMessageA 64->67 68 6f829a01 65->68 69 6f829a0b-6f829a17 65->69 67->65 74 6f829a03-6f829a05 68->74 75 6f829a07-6f829a09 68->75 76 6f829a31 69->76 77 6f829a19 69->77 78 6f829adf-6f829ae6 70->78 79 6f829abd-6f829ac4 70->79 72 6f829a56-6f829a5a 71->72 73 6f829a7a-6f829a7e 71->73 80 6f829a6b-6f829a79 mprCancelShutdown 72->80 81 6f829a5c-6f829a68 mprTraceProc 72->81 82 6f829aa0-6f829aad exit 73->82 83 6f829a80 73->83 74->69 74->75 75->69 76->62 84 6f829a1b-6f829a1d 77->84 85 6f829a1f-6f829a29 77->85 87 6f829ae8-6f829aea 78->87 88 6f829b0c-6f829b1e 78->88 79->78 86 6f829ac6-6f829ad0 79->86 81->80 82->70 93 6f829a82-6f829a86 83->93 94 6f829a88-6f829a92 83->94 84->76 84->85 85->63 95 6f829a2f 85->95 86->78 96 6f829ad2-6f829ad9 EnterCriticalSection 86->96 89 6f829b02-6f829b0b 87->89 90 6f829aec-6f829af3 87->90 91 6f829b20-6f829b27 88->91 92 6f829b38-6f829b3a 88->92 90->89 97 6f829af5-6f829afc LeaveCriticalSection 90->97 91->92 98 6f829b29-6f829b32 LeaveCriticalSection 91->98 99 6f829b40-6f829b48 92->99 93->82 93->94 100 6f829a94 94->100 101 6f829a99-6f829a9a exit 94->101 95->62 96->78 97->89 98->92 102 6f829bb4-6f829bdb mprStopWorkers mprClearList mprStopModuleService mprDestroyEventService 99->102 103 6f829b4a-6f829b4f 99->103 100->101 101->82 104 6f829be0-6f829bec mprGC 102->104 105 6f829b51-6f829b55 103->105 106 6f829b64-6f829b67 103->106 107 6f829bf4-6f829c09 104->107 108 6f829bee-6f829bf2 104->108 105->106 109 6f829b57-6f829b5e EnterCriticalSection 105->109 110 6f829baa-6f829baf 106->110 111 6f829b69-6f829b75 106->111 113 6f829c0b-6f829c16 107->113 114 6f829c28-6f829c43 mprStopModuleService mprStopGCService WSACleanup 107->114 108->104 108->107 109->106 110->102 112 6f829bb1-6f829bb2 LeaveCriticalSection 110->112 115 6f829b80-6f829b82 111->115 116 6f829b77-6f829b7a LeaveCriticalSection 111->116 112->102 117 6f829c18 113->117 118 6f829c1d-6f829c25 mprTraceProc 113->118 119 6f829c52-6f829c5b 114->119 120 6f829c45-6f829c4f mprError 114->120 115->102 121 6f829b84-6f829ba8 115->121 116->115 117->118 118->114 120->119 121->99
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprShutdown.LIBMPR(?,00100000,?,?), ref: 6F829947
                                                                                                                                                                                                              • Part of subcall function 6F8296E0: EnterCriticalSection.KERNEL32(?), ref: 6F8296FF
                                                                                                                                                                                                              • Part of subcall function 6F8296E0: LeaveCriticalSection.KERNEL32(?), ref: 6F829734
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F82996D
                                                                                                                                                                                                            • PostMessageA.USER32(?,00000000,00000000,00000000), ref: 6F8299C1
                                                                                                                                                                                                            • mprWaitForCond.LIBMPR(?,000003E8,00000000), ref: 6F8299DB
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F8299F4
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,Cancel termination due to continuing requests, application resumed.), ref: 6F829A63
                                                                                                                                                                                                            • mprCancelShutdown.LIBMPR ref: 6F829A6B
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Exiting, xrefs: 6F829C18
                                                                                                                                                                                                            • Restarting, xrefs: 6F829C11, 6F829C1D
                                                                                                                                                                                                            • Cancel termination due to continuing requests, application resumed., xrefs: 6F829A5C
                                                                                                                                                                                                            • mprRestart not supported on this platform, xrefs: 6F829C45
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSectionShutdownTicks$CancelCondEnterLeaveMessagePostProcTraceWait
                                                                                                                                                                                                            • String ID: Cancel termination due to continuing requests, application resumed.$Exiting$Restarting$mprRestart not supported on this platform
                                                                                                                                                                                                            • API String ID: 1752463892-1881933816
                                                                                                                                                                                                            • Opcode ID: 18af8cb421ebd04a83b249848159d67aec1f0eb7b57e94c9c02c67229ad3882b
                                                                                                                                                                                                            • Instruction ID: 6dc79d4b46ee870390c360575aacdc76a3891b98e73b24e1b7ec02fd5c3793e5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18af8cb421ebd04a83b249848159d67aec1f0eb7b57e94c9c02c67229ad3882b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AB91F9356007019FDB08DB58C84AB9973E1BF45728F0489F9D8054F299DB32F889EBD0
                                                                                                                                                                                                            Function 6F8296E0 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168windowCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 140 6f8296e0-6f8296e7 141 6f82970a-6f829716 140->141 142 6f8296e9-6f8296f0 140->142 144 6f829718-6f82971a 141->144 145 6f82973c-6f829744 141->145 142->141 143 6f8296f2-6f8296fc 142->143 143->141 146 6f8296fe-6f829705 EnterCriticalSection 143->146 147 6f829720-6f829727 144->147 148 6f82991d-6f82991e 144->148 149 6f829761-6f829783 145->149 150 6f829746-6f82974d 145->150 146->141 147->148 151 6f82972d-6f82973b LeaveCriticalSection 147->151 153 6f829785-6f829789 149->153 154 6f82978f-6f829792 149->154 150->149 152 6f82974f-6f82975c LeaveCriticalSection 150->152 152->149 155 6f829795-6f8297aa 153->155 156 6f82978b-6f82978d 153->156 154->155 157 6f8297bf-6f8297de mprGetTicks 155->157 158 6f8297ac-6f8297b8 155->158 156->154 156->155 159 6f8297e0-6f8297e3 157->159 160 6f82980f-6f829817 157->160 158->157 161 6f8297e9-6f8297f2 159->161 162 6f8298ec-6f8298f5 159->162 163 6f829827-6f82983c 160->163 164 6f829819-6f829824 mprTraceProc 160->164 165 6f829802-6f82980c mprError 161->165 166 6f8297f4-6f8297ff mprTraceProc 161->166 167 6f8298f7-6f829902 mprTraceProc 162->167 168 6f829905-6f829906 exit 162->168 173 6f829859-6f82986d mprWakeDispatchers 163->173 174 6f82983e-6f829856 mprCreateEvent 163->174 164->163 165->160 166->165 167->168 169 6f82990c-6f829911 168->169 171 6f829913-6f829914 LeaveCriticalSection 169->171 172 6f82991a-6f82991c 169->172 171->172 172->148 175 6f82988a-6f82988d 173->175 176 6f82986f-6f829874 173->176 174->173 178 6f829890-6f82989e 175->178 176->175 177 6f829876-6f829884 PostMessageA 176->177 177->175 178->172 179 6f8298a0-6f8298a5 178->179 180 6f8298a7-6f8298ab 179->180 181 6f8298b4-6f8298b7 179->181 180->181 182 6f8298ad-6f8298ae EnterCriticalSection 180->182 181->169 183 6f8298b9-6f8298c5 181->183 182->181 184 6f8298c7-6f8298c8 LeaveCriticalSection 183->184 185 6f8298ce-6f8298d0 183->185 184->185 185->172 186 6f8298d2-6f8298ea 185->186 186->178
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F8296FF
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F829734
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F829756
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F8297BF
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000003,Abort with restart.), ref: 6F8297FA
                                                                                                                                                                                                            • mprError.LIBMPR(mprRestart not supported on this platform), ref: 6F829807
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000003,Application exit, waiting for existing requests to complete.), ref: 6F82981F
                                                                                                                                                                                                            • mprCreateEvent.LIBMPR(00000000,shutdownMonitor,00000000,00000000,6F827BB0,00000000,00000003), ref: 6F829851
                                                                                                                                                                                                            • mprWakeDispatchers.LIBMPR ref: 6F829859
                                                                                                                                                                                                            • PostMessageA.USER32(?,00000000,00000000,00000000), ref: 6F829884
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F8298AE
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F8298C8
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000003,Abortive exit.), ref: 6F8298FD
                                                                                                                                                                                                            • exit.MSVCR100 ref: 6F829906
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F829914
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Abortive exit., xrefs: 6F8298F7
                                                                                                                                                                                                            • shutdownMonitor, xrefs: 6F82984A
                                                                                                                                                                                                            • Abort with restart., xrefs: 6F8297F4
                                                                                                                                                                                                            • mprRestart not supported on this platform, xrefs: 6F829802
                                                                                                                                                                                                            • Application exit, waiting for existing requests to complete., xrefs: 6F829819
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ProcTrace$Enter$CreateDispatchersErrorEventMessagePostTicksWakeexit
                                                                                                                                                                                                            • String ID: Abort with restart.$Abortive exit.$Application exit, waiting for existing requests to complete.$mprRestart not supported on this platform$shutdownMonitor
                                                                                                                                                                                                            • API String ID: 1188098924-749738587
                                                                                                                                                                                                            • Opcode ID: 42addaa2b7da18880f8f2ec7ad5dde34ee73db5ca32060f775ce31eebdd242e1
                                                                                                                                                                                                            • Instruction ID: 53f457e5563e7a27002d24a0796126b643c015a45fb2cab2e3cf4af699377a77
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 42addaa2b7da18880f8f2ec7ad5dde34ee73db5ca32060f775ce31eebdd242e1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3061D075A00601AFDB18DF18C849F6677E0BB42720F158AEAE8195F3A5D731F884EBD0
                                                                                                                                                                                                            Function 6F834CD0 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 153networkstringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • memset.MSVCR100 ref: 6F834D39
                                                                                                                                                                                                            • mprCreateSpinLock.LIBMPR ref: 6F834D9A
                                                                                                                                                                                                            • gethostname.WS2_32 ref: 6F834DC5
                                                                                                                                                                                                            • scopy.LIBMPR(?,00000400,localhost), ref: 6F834DDE
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot get host name. Using "localhost".,?,00000400,localhost), ref: 6F834DE8
                                                                                                                                                                                                            • strchr.MSVCR100 ref: 6F834DF8
                                                                                                                                                                                                            • scopy.LIBMPR(?,00000400,?,?,00000400), ref: 6F834E15
                                                                                                                                                                                                            • scopy.LIBMPR(?,00000400,00000001,?,00000400,?,?,00000400), ref: 6F834E30
                                                                                                                                                                                                            • mprSetServerName.LIBMPR(?,?,00000400,?,?,00000400), ref: 6F834E42
                                                                                                                                                                                                            • mprSetDomainName.LIBMPR(?,?,?,00000400,?,?,00000400), ref: 6F834E4F
                                                                                                                                                                                                            • mprSetHostName.LIBMPR(?,?,?,?,00000400,?,?,00000400), ref: 6F834E5C
                                                                                                                                                                                                            • mprCreateList.LIBMPR(00000000,00000000,?,?,?,?,00000400,?,?,00000400), ref: 6F834E65
                                                                                                                                                                                                            • socket.WS2_32(00000017,00000001,00000000), ref: 6F834E76
                                                                                                                                                                                                            • closesocket.WS2_32(00000000), ref: 6F834E8A
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000001,This system does not have IPv6 support,?,?,?,?,?,00000400,?,?,00000400), ref: 6F834EBB
                                                                                                                                                                                                              • Part of subcall function 6F826F20: mprPrintfCore.LIBMPR(?,00002000,?,?), ref: 6F826F52
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • localhost, xrefs: 6F834DCF
                                                                                                                                                                                                            • Cannot get host name. Using "localhost"., xrefs: 6F834DE3
                                                                                                                                                                                                            • This system does not have IPv6 support, xrefs: 6F834EB4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Namescopy$Create$CoreDomainErrorHostListLockPrintfProcServerSpinTraceclosesocketgethostnamememsetsocketstrchr
                                                                                                                                                                                                            • String ID: Cannot get host name. Using "localhost".$This system does not have IPv6 support$localhost
                                                                                                                                                                                                            • API String ID: 2941904441-3921791619
                                                                                                                                                                                                            • Opcode ID: bec50bec11cffbc20364870aa386c272f3faea0da7331feb663232330b27ffe8
                                                                                                                                                                                                            • Instruction ID: 8a9c96fb3eddbd8749f11311d6998d785e28c0ffcee74d2643c377a2e3380c9b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bec50bec11cffbc20364870aa386c272f3faea0da7331feb663232330b27ffe8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5D512BB2904351ABE724CB68DC05F9B77E4AF81318F448E9DE6459E1D1EB79E004C7D1
                                                                                                                                                                                                            Function 6F8249C0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 148registryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 222 6f8249c0-6f8249e5 call 6f839450 225 6f824a01-6f824a05 222->225 226 6f8249e7-6f8249ec 222->226 228 6f824a07-6f824a0f 225->228 227 6f8249f0-6f8249f5 226->227 227->227 229 6f8249f7-6f8249ff 227->229 228->228 230 6f824a11-6f824a15 228->230 229->225 229->230 231 6f824a18-6f824a1d 230->231 231->231 232 6f824a1f-6f824a2a 231->232 233 6f824a40-6f824a6e 232->233 234 6f824a2c 232->234 236 6f824a74-6f824acd fmt RegCreateKeyExA 233->236 237 6f824b3e-6f824b52 RegisterEventSourceA 233->237 235 6f824a30-6f824a36 234->235 235->233 240 6f824a38-6f824a3e 235->240 236->237 241 6f824acf-6f824aed RegSetValueExA 236->241 238 6f824b74-6f824b8a call 6f8391ce 237->238 239 6f824b54-6f824b6e ReportEventA DeregisterEventSource 237->239 239->238 240->233 240->235 243 6f824b11-6f824b31 RegSetValueExA 241->243 244 6f824aef-6f824b10 RegCloseKey call 6f8391ce 241->244 243->244 245 6f824b33-6f824b38 RegCloseKey 243->245 245->237
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • fmt.LIBMPR(?,00001000,SYSTEM\CurrentControlSet\Services\EventLog\Application\%s,?), ref: 6F824A99
                                                                                                                                                                                                            • RegCreateKeyExA.KERNELBASE(80000002,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 6F824AC5
                                                                                                                                                                                                            • RegSetValueExA.KERNELBASE(?,EventMessageFile,00000000,00000002,%SystemRoot%\System32\netmsg.dll,00000021), ref: 6F824AE9
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 6F824AF4
                                                                                                                                                                                                            • RegSetValueExA.KERNELBASE ref: 6F824B2D
                                                                                                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 6F824B38
                                                                                                                                                                                                            • RegisterEventSourceA.ADVAPI32(00000000,?), ref: 6F824B48
                                                                                                                                                                                                            • ReportEventA.ADVAPI32(00000000,00000001,00000000,00000CE3,00000000,00000009,00000000,?,00000000), ref: 6F824B67
                                                                                                                                                                                                            • DeregisterEventSource.ADVAPI32(00000000), ref: 6F824B6E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • SYSTEM\CurrentControlSet\Services\EventLog\Application\%s, xrefs: 6F824A7D
                                                                                                                                                                                                            • %SystemRoot%\System32\netmsg.dll, xrefs: 6F824ADB
                                                                                                                                                                                                            • TypesSupported, xrefs: 6F824B1F
                                                                                                                                                                                                            • EventMessageFile, xrefs: 6F824AE3
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Event$CloseSourceValue$CreateDeregisterRegisterReport
                                                                                                                                                                                                            • String ID: %SystemRoot%\System32\netmsg.dll$EventMessageFile$SYSTEM\CurrentControlSet\Services\EventLog\Application\%s$TypesSupported
                                                                                                                                                                                                            • API String ID: 1095276338-4169126159
                                                                                                                                                                                                            • Opcode ID: a855301acc9aa0a31fd705194795111d926ff8be2521c0fa6044c1ebbbd7d1a7
                                                                                                                                                                                                            • Instruction ID: 3614a49d03e5dbb1aaf2cd3acb540396a969c53b3ae6d224ed8ec22b49aa99a2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a855301acc9aa0a31fd705194795111d926ff8be2521c0fa6044c1ebbbd7d1a7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B651E675508340AFD714DF64C885E9BBBE8FB88344F404D9DF6868B252D330A948CBE2
                                                                                                                                                                                                            Function 6F82A3E0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 102windowthreadtimeCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprDoWaitRecall.LIBMPR(?), ref: 6F82A41B
                                                                                                                                                                                                            • mprGetCurrentThread.LIBMPR ref: 6F82A42E
                                                                                                                                                                                                            • mprCreateWindow.LIBMPR(00000000), ref: 6F82A43F
                                                                                                                                                                                                            • mprError.LIBMPR(mprWaitForIO: Cannot get window), ref: 6F82A456
                                                                                                                                                                                                            • mprYield.LIBMPR(00000002), ref: 6F82A46B
                                                                                                                                                                                                            • SetTimer.USER32(?,00000000,7FFFFFFF,00000000), ref: 6F82A477
                                                                                                                                                                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 6F82A485
                                                                                                                                                                                                            • mprResetYield.LIBMPR ref: 6F82A48F
                                                                                                                                                                                                            • mprShutdown.LIBMPR(00000000,00000000,000000FF,000000FF), ref: 6F82A49A
                                                                                                                                                                                                            • mprResetYield.LIBMPR ref: 6F82A4BC
                                                                                                                                                                                                            • TranslateMessage.USER32(?), ref: 6F82A4C6
                                                                                                                                                                                                            • DispatchMessageA.USER32(?), ref: 6F82A4D1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • mprWaitForIO: Cannot get window, xrefs: 6F82A451
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: MessageYield$Reset$CreateCurrentDispatchErrorRecallShutdownThreadTimerTranslateWaitWindow
                                                                                                                                                                                                            • String ID: mprWaitForIO: Cannot get window
                                                                                                                                                                                                            • API String ID: 1568713199-681859796
                                                                                                                                                                                                            • Opcode ID: 60275b2dbb01c39d8f938e1a42b9c9bf28b2308a89a2e7f2c48287cd5fb76cab
                                                                                                                                                                                                            • Instruction ID: 4a36b0333bcaeb262a63e74618a6263dff635760fea7faef1b5d7c5d3f3b4ff9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 60275b2dbb01c39d8f938e1a42b9c9bf28b2308a89a2e7f2c48287cd5fb76cab
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 242138B29043026BD700AF5CACC486AB3D8FE41238B504FFFE8254A181D736F59996E2
                                                                                                                                                                                                            Function 6F830100 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 6F830114
                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,00000FFF,00003000,00000004), ref: 6F83015D
                                                                                                                                                                                                            • memset.MSVCR100 ref: 6F83017F
                                                                                                                                                                                                            • mprVirtAlloc.LIBMPR ref: 6F8301C2
                                                                                                                                                                                                            • getenv.MSVCR100 ref: 6F8302C9
                                                                                                                                                                                                            • scmp.LIBMPR(00000000,?,00000000,00000C58), ref: 6F8302D3
                                                                                                                                                                                                            • mprCreateCond.LIBMPR(0003FEC8,?,?,?,00000000,00000C58), ref: 6F830312
                                                                                                                                                                                                            • mprCreateList.LIBMPR(000000FF,00000020,0003FEC8,?,?,?,00000000,00000C58), ref: 6F830327
                                                                                                                                                                                                            • mprAddItem.LIBMPR(00000000,01070020,000000FF,00000020,0003FEC8,?,?,?,00000000,00000C58), ref: 6F830340
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocCreate$CondInfoItemListSystemVirtVirtualgetenvmemsetscmp
                                                                                                                                                                                                            • String ID: MPR_DISABLE_GC
                                                                                                                                                                                                            • API String ID: 4082112180-2375395910
                                                                                                                                                                                                            • Opcode ID: e1ea18fcf901ce013c5f675e32ba48e5a28041867133f95d1735d0808ddf0318
                                                                                                                                                                                                            • Instruction ID: ab8776d95d271b009a094b98289a1741b3bfc266e168f6cafe5e9949e7db6de4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e1ea18fcf901ce013c5f675e32ba48e5a28041867133f95d1735d0808ddf0318
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E351C4B5A047049FD744EF58C485BE6BBE0FB05328F144AFED4594B391DB366448CB80
                                                                                                                                                                                                            Function 6F877EC4 Relevance: 15.1, APIs: 10, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _lock.MSVCR100(00000008,6F877F98,00000018,6F8AC0CB,00000001,00000001,00000000,?,6F8AC0FC,000000FF,?,6F887507,00000011,00000001,?,6F8621A9), ref: 6F877EE6
                                                                                                                                                                                                            • DecodePointer.KERNEL32(6F877F98,00000018,6F8AC0CB,00000001,00000001,00000000,?,6F8AC0FC,000000FF,?,6F887507,00000011,00000001,?,6F8621A9,0000000D), ref: 6F877F20
                                                                                                                                                                                                            • DecodePointer.KERNEL32(?,6F8AC0FC,000000FF,?,6F887507,00000011,00000001,?,6F8621A9,0000000D), ref: 6F877F35
                                                                                                                                                                                                            • _encoded_null.MSVCR100(?,6F8AC0FC,000000FF,?,6F887507,00000011,00000001,?,6F8621A9,0000000D), ref: 6F877F4C
                                                                                                                                                                                                            • DecodePointer.KERNEL32(-00000004,?,6F8AC0FC,000000FF,?,6F887507,00000011,00000001,?,6F8621A9,0000000D), ref: 6F877F5B
                                                                                                                                                                                                            • _encoded_null.MSVCR100(?,6F8AC0FC,000000FF,?,6F887507,00000011,00000001,?,6F8621A9,0000000D), ref: 6F877F5F
                                                                                                                                                                                                            • DecodePointer.KERNEL32(?,6F8AC0FC,000000FF,?,6F887507,00000011,00000001,?,6F8621A9,0000000D), ref: 6F877F6E
                                                                                                                                                                                                            • DecodePointer.KERNEL32(?,6F8AC0FC,000000FF,?,6F887507,00000011,00000001,?,6F8621A9,0000000D), ref: 6F877F78
                                                                                                                                                                                                              • Part of subcall function 6F877E18: GetModuleHandleW.KERNEL32(00000000,6F877EDC,6F877F98,00000018,6F8AC0CB,00000001,00000001,00000000,?,6F8AC0FC,000000FF,?,6F887507,00000011,00000001), ref: 6F877E1A
                                                                                                                                                                                                            • ___crtCorExitProcess.LIBCMT ref: 6F887405
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874450032.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874431639.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874546547.000000006F903000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874565352.000000006F905000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874585157.000000006F908000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f850000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: DecodePointer$_encoded_null$ExitHandleModuleProcess___crt_lock
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 729311798-0
                                                                                                                                                                                                            • Opcode ID: 1b5858514a1d90a017d9935ed1d1ebf40c675b23ac21a2450d79d0826045e681
                                                                                                                                                                                                            • Instruction ID: 579b95826e18a5bfcfe48426cd202943c84a2e7b5e8b1bc1ff8f6a26edb3e129
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b5858514a1d90a017d9935ed1d1ebf40c675b23ac21a2450d79d0826045e681
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3312B719083499EEF60AFB8CA4079DBAB1FF19319F1049BED510AE290DFB84950CF60
                                                                                                                                                                                                            Function 6F8AC789 Relevance: 15.1, APIs: 10, Instructions: 63threadCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _errno.MSVCR100 ref: 6F8AC799
                                                                                                                                                                                                            • _invalid_parameter_noinfo.MSVCR100 ref: 6F8AC7A4
                                                                                                                                                                                                              • Part of subcall function 6F8DAEAE: _invalid_parameter.MSVCR100(00000000,00000000,00000000,00000000,00000000,6F8AB84F,?,6F8AC3D3,00000003,6F8874A4,6F86AA18,0000000C,6F8874F7,00000001,00000001), ref: 6F8DAEB5
                                                                                                                                                                                                            • __set_flsgetvalue.MSVCR100 ref: 6F8AC7AE
                                                                                                                                                                                                            • _calloc_crt.MSVCR100(00000001,00000214), ref: 6F8AC7BA
                                                                                                                                                                                                            • _getptd.MSVCR100 ref: 6F8AC7C7
                                                                                                                                                                                                            • _initptd.MSVCR100(00000000,?), ref: 6F8AC7D0
                                                                                                                                                                                                            • CreateThread.KERNELBASE(?,?,6F8AC724,00000000,?,?), ref: 6F8AC7FE
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 6F8AC808
                                                                                                                                                                                                            • free.MSVCR100(00000000), ref: 6F8AC811
                                                                                                                                                                                                            • __dosmaperr.LIBCMT(00000000), ref: 6F8AC81C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874450032.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874431639.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874546547.000000006F903000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874565352.000000006F905000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874585157.000000006F908000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f850000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateErrorLastThread__dosmaperr__set_flsgetvalue_calloc_crt_errno_getptd_initptd_invalid_parameter_invalid_parameter_noinfofree
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2355482382-0
                                                                                                                                                                                                            • Opcode ID: 9fadd1eb32728a332ba1ddeb3e80296f12fc26d40940509416378a170f2d7279
                                                                                                                                                                                                            • Instruction ID: c40ccead08334659f229cb4d0db856039574ede59b803e56b5847b000c6e9de9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9fadd1eb32728a332ba1ddeb3e80296f12fc26d40940509416378a170f2d7279
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B11A532204B06BF9B059FAD9C4499B37E9EF46774B100CE9F924DE191EB72E41187A4
                                                                                                                                                                                                            Function 6F82DCA0 Relevance: 10.6, APIs: 7, Instructions: 92registryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 6F81D810: strchr.MSVCR100 ref: 6F81D868
                                                                                                                                                                                                              • Part of subcall function 6F81D810: scaselesscmp.LIBMPR(?,HKEY_LOCAL_MACHINE,?,0000005C), ref: 6F81D896
                                                                                                                                                                                                              • Part of subcall function 6F81D810: scaselesscmp.LIBMPR(?,HKLM,?,?,?,0000005C), ref: 6F81D8AF
                                                                                                                                                                                                              • Part of subcall function 6F81D810: scaselesscmp.LIBMPR(00000000,HKEY_CURRENT_USER,?,?,?,?,?,0000005C), ref: 6F81D8C4
                                                                                                                                                                                                              • Part of subcall function 6F81D810: scaselesscmp.LIBMPR(?,HKCU,?,?,?,?,?,?,?,0000005C), ref: 6F81D8D9
                                                                                                                                                                                                              • Part of subcall function 6F81D810: scaselesscmp.LIBMPR(?,HKEY_USERS,?,?,?,?,?,?,?,?,?,0000005C), ref: 6F81D8EE
                                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(?,00000000,00000000,00020019,?), ref: 6F82DCD0
                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 6F82DCF9
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 6F82DD12
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: scaselesscmp$CloseOpenQueryValuestrchr
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 759369415-0
                                                                                                                                                                                                            • Opcode ID: 07c4fc8eb0eac413cce811722f31a174aa30609c2a19cd53a5b523878db5a9a9
                                                                                                                                                                                                            • Instruction ID: 9e6ab4a380f18fac38d62a2bafa869c918d577264f3f9597f13be4e08a76ebd8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 07c4fc8eb0eac413cce811722f31a174aa30609c2a19cd53a5b523878db5a9a9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C214D76208302AFD714CE64EC90BABB7E9EFC4614F008D59F9908B240E634E90AC7D2
                                                                                                                                                                                                            Function 6F829D50 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 364 6f829d50-6f829d65 365 6f829d67-6f829d77 mprCreateWindowClass 364->365 366 6f829d8b-6f829db7 CreateWindowExA 364->366 365->366 369 6f829d79-6f829d8a mprError 365->369 367 6f829dc8-6f829dca 366->367 368 6f829db9-6f829dc6 mprError 366->368 368->367
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprCreateWindowClass.LIBMPR(?), ref: 6F829D68
                                                                                                                                                                                                              • Part of subcall function 6F829CE0: RegisterClassA.USER32 ref: 6F829D20
                                                                                                                                                                                                              • Part of subcall function 6F829CE0: mprError.LIBMPR(Cannot register windows class), ref: 6F829D33
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot create window class), ref: 6F829D7E
                                                                                                                                                                                                              • Part of subcall function 6F827010: mprPrintfCore.LIBMPR(?,00002000,?,?,6F825F72,Cannot open log file %s,?), ref: 6F827042
                                                                                                                                                                                                            • CreateWindowExA.USER32(00000000,00000000,?,00000000,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6F829DA8
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot create window), ref: 6F829DBE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Cannot create window class, xrefs: 6F829D79
                                                                                                                                                                                                            • Cannot create window, xrefs: 6F829DB9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Error$ClassCreateWindow$CorePrintfRegister
                                                                                                                                                                                                            • String ID: Cannot create window$Cannot create window class
                                                                                                                                                                                                            • API String ID: 2117133146-1593879683
                                                                                                                                                                                                            • Opcode ID: 781bb5b107af0190537d5a011b9c031e8eb488d4761d5b584e566920d9aea7ef
                                                                                                                                                                                                            • Instruction ID: 899dd4254cb4109f4f4105d8030e029a9e0042093915e4626d2839e07928a733
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 781bb5b107af0190537d5a011b9c031e8eb488d4761d5b584e566920d9aea7ef
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DFF0C276504310AAD7609B68AC00F5A72F4AF81724F044CA9E845AE195EB70F885E2D2
                                                                                                                                                                                                            Function 6F821330 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 370 6f821330-6f821337 371 6f821339-6f82133e 370->371 372 6f82134d-6f821369 _beginthreadex 370->372 371->372 373 6f821340-6f821344 371->373 374 6f821384-6f821392 372->374 375 6f82136b-6f82136d 372->375 373->372 378 6f821346-6f821347 EnterCriticalSection 373->378 376 6f821394-6f821395 LeaveCriticalSection 374->376 377 6f82139b-6f82139e 374->377 379 6f82136f-6f821374 375->379 380 6f82137d-6f821383 375->380 376->377 378->372 379->380 381 6f821376-6f821377 LeaveCriticalSection 379->381 381->380
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F821347
                                                                                                                                                                                                            • _beginthreadex.MSVCR100 ref: 6F82135E
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F821377
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F821395
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter_beginthreadex
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1916746806-0
                                                                                                                                                                                                            • Opcode ID: 1a608fff14747aa7054629eeeee83f27061e76e02839cddb9b58cd1631d3463d
                                                                                                                                                                                                            • Instruction ID: f1debfced646bb7dd798b8031f1ee261ec96480b67132324ef344d25addb4b16
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a608fff14747aa7054629eeeee83f27061e76e02839cddb9b58cd1631d3463d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 52016731905F219BDA248F24988CB9A77E5AF05B50F124D89F855AFA54C335F880C7D0
                                                                                                                                                                                                            Function 00701BC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00701BD6
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot open service manager), ref: 00701BE7
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 00701C04
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00701C11
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot open service), ref: 00701C1C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Cannot open service manager, xrefs: 00701BE2
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1873802646.0000000000701000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00700000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1873758637.0000000000700000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1873824855.0000000000704000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1873853184.0000000000707000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_700000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorOpenService$CloseHandleManager
                                                                                                                                                                                                            • String ID: Cannot open service manager
                                                                                                                                                                                                            • API String ID: 261947648-2588921198
                                                                                                                                                                                                            • Opcode ID: 228796f409d15ad7c94db85e568bbee4fb437a2cdfda8f15554a3e570c73af64
                                                                                                                                                                                                            • Instruction ID: ed51f9c83508e17d9302d1459195a4524c5213811062c535c4c5b8733849150f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 228796f409d15ad7c94db85e568bbee4fb437a2cdfda8f15554a3e570c73af64
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5D0A7F0380301EBF7006BD09C8AF6133D46714701F0042A0F700561D2DFF9C5488151
                                                                                                                                                                                                            Function 6F8AC6C3 Relevance: 4.5, APIs: 3, Instructions: 19COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _getptd.MSVCR100(6F8AC708,0000000C,6F8AC788,?), ref: 6F8AC6CF
                                                                                                                                                                                                            • _endthreadex.MSVCR100(00000000), ref: 6F8AC6DF
                                                                                                                                                                                                              • Part of subcall function 6F8AC6A4: __freeptd.LIBCMT ref: 6F8AC6B3
                                                                                                                                                                                                              • Part of subcall function 6F8AC6A4: ExitThread.KERNEL32 ref: 6F8AC6BC
                                                                                                                                                                                                            • __XcptFilter.LIBCMT(?,?,00000000), ref: 6F8AC6F0
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874450032.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874431639.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874546547.000000006F903000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874565352.000000006F905000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874585157.000000006F908000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f850000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitFilterThreadXcpt__freeptd_endthreadex_getptd
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1851418559-0
                                                                                                                                                                                                            • Opcode ID: d407ab55953a37deebf426438c21f439d67ad4f98cde299b0447ee60a0dc195f
                                                                                                                                                                                                            • Instruction ID: 5495d0fc9c2e98d3beb17134cc05267f487a70209ae98cd5460b89e86e99c8f6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d407ab55953a37deebf426438c21f439d67ad4f98cde299b0447ee60a0dc195f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D0E0ECB1911704AFEB08EBA8C944E2E7775EF45205F2018CCE1015F2F1CB3A9940DB25
                                                                                                                                                                                                            Function 6F8AC6A4 Relevance: 3.0, APIs: 2, Instructions: 11threadCOMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 6F860698: GetLastError.KERNEL32(6F853238,?,6F8607BA,6F8F7F62), ref: 6F86069C
                                                                                                                                                                                                              • Part of subcall function 6F860698: __set_flsgetvalue.MSVCR100 ref: 6F8606AA
                                                                                                                                                                                                              • Part of subcall function 6F860698: SetLastError.KERNEL32(00000000), ref: 6F8606BC
                                                                                                                                                                                                            • __freeptd.LIBCMT ref: 6F8AC6B3
                                                                                                                                                                                                              • Part of subcall function 6F862539: TlsGetValue.KERNEL32(?,?,6F8625B6,00000000,6F8620E0,00000008,6F862116,00000001,?), ref: 6F86255A
                                                                                                                                                                                                              • Part of subcall function 6F862539: TlsGetValue.KERNEL32(?,?,6F8625B6,00000000,6F8620E0,00000008,6F862116,00000001,?), ref: 6F86256C
                                                                                                                                                                                                              • Part of subcall function 6F862539: DecodePointer.KERNEL32(00000000,?,6F8625B6,00000000,6F8620E0,00000008,6F862116,00000001,?), ref: 6F862582
                                                                                                                                                                                                              • Part of subcall function 6F862539: _freefls.MSVCR100(00000000,?,6F8625B6,00000000,6F8620E0,00000008,6F862116,00000001,?), ref: 6F86258D
                                                                                                                                                                                                              • Part of subcall function 6F862539: TlsSetValue.KERNEL32(00000002,00000000,?,6F8625B6,00000000,6F8620E0,00000008,6F862116,00000001,?), ref: 6F86259F
                                                                                                                                                                                                            • ExitThread.KERNEL32 ref: 6F8AC6BC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874450032.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874431639.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874546547.000000006F903000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874565352.000000006F905000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874585157.000000006F908000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f850000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Value$ErrorLast$DecodeExitPointerThread__freeptd__set_flsgetvalue_freefls
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 347067750-0
                                                                                                                                                                                                            • Opcode ID: 6cf06b2d62bab0cb3fd0311578923a5b43252388d1320b4d7534fb7b9e394b4d
                                                                                                                                                                                                            • Instruction ID: f898d6f2b64d7a925a40657e378e4327f74b7c9ac8366c585420ccb75a07a13b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6cf06b2d62bab0cb3fd0311578923a5b43252388d1320b4d7534fb7b9e394b4d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7FC08C300007043F9F902FA5DC0C80A3A1C8A80210B0028D6780889090EFA8E860C694
                                                                                                                                                                                                            Function 6F877EAC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • ___crtCorExitProcess.LIBCMT ref: 6F877EB4
                                                                                                                                                                                                              • Part of subcall function 6F877E57: GetModuleHandleW.KERNEL32(mscoree.dll,?,6F877EB9,00000001,?,6F8874B5,000000FF,0000001E,6F86AA18,0000000C,6F8874F7,00000001,00000001,?,6F8621A9,0000000D), ref: 6F877E61
                                                                                                                                                                                                              • Part of subcall function 6F877E57: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6F877E71
                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 6F877EBD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874450032.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874431639.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874546547.000000006F903000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874565352.000000006F905000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874585157.000000006F908000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f850000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2427264223-0
                                                                                                                                                                                                            • Opcode ID: cb83ac8c17f3ace48a6a1bd30645bb2f20542530696117078e50847c2ba2b855
                                                                                                                                                                                                            • Instruction ID: 5653503b680707455cc740f5652d7a660bb52f3c85a26943c682bc68bebd92d9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb83ac8c17f3ace48a6a1bd30645bb2f20542530696117078e50847c2ba2b855
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 16B09B3100068CFBCF111F15DC0984D7F15DB416B07104460F41809060DF75DD72D5D0
                                                                                                                                                                                                            Function 6F877FB3 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _unlock.MSVCR100(00000008,6F877F98,00000018,6F8AC0CB,00000001,00000001,00000000,?,6F8AC0FC,000000FF,?,6F887507,00000011,00000001,?,6F8621A9), ref: 6F877FD2
                                                                                                                                                                                                              • Part of subcall function 6F860C67: LeaveCriticalSection.KERNEL32(?,6F86AB87,0000000A,6F86ABD0,?,6F8621A9,0000000D), ref: 6F860C76
                                                                                                                                                                                                              • Part of subcall function 6F877EAC: ___crtCorExitProcess.LIBCMT ref: 6F877EB4
                                                                                                                                                                                                              • Part of subcall function 6F877EAC: ExitProcess.KERNEL32 ref: 6F877EBD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874450032.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874431639.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874546547.000000006F903000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874565352.000000006F905000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874585157.000000006F908000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f850000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess$CriticalLeaveSection___crt_unlock
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2090324275-0
                                                                                                                                                                                                            • Opcode ID: bbf91be99f011d02a906e4a8afe34d2d43576cf5ddba605b61e4b4a762a984a5
                                                                                                                                                                                                            • Instruction ID: bc21c97100f9acc5dfdf895372a2324e68c4603dc1dce4c6ed0ecf79cc499d80
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bbf91be99f011d02a906e4a8afe34d2d43576cf5ddba605b61e4b4a762a984a5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7ED05231404788EAEF309F28CA08B8C3A61FF00328F600E89F8200D2E0CFF846D4DA41
                                                                                                                                                                                                            Function 6F877FE0 Relevance: 1.5, APIs: 1, Instructions: 7COMMONLIBRARYCODE
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _unlock.MSVCR100(00000008,6F877FC0,6F877F98,00000018,6F8AC0CB,00000001,00000001,00000000,?,6F8AC0FC,000000FF,?,6F887507,00000011,00000001), ref: 6F877FE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874450032.000000006F851000.00000020.00000001.01000000.0000000F.sdmp, Offset: 6F850000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874431639.000000006F850000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874546547.000000006F903000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874565352.000000006F905000.00000008.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874585157.000000006F908000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f850000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _unlock
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2480363372-0
                                                                                                                                                                                                            • Opcode ID: b130028ab0cd65cf7bb74338deddde45a3c7265e0161153ec8c473bb1ae8a34e
                                                                                                                                                                                                            • Instruction ID: ea05f5eb1872b002453362807aa51c6253f678660bda0f62426735a53e9e3de7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b130028ab0cd65cf7bb74338deddde45a3c7265e0161153ec8c473bb1ae8a34e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 85B012204583CDD9D724091C4700F8C1110BF40B1AF805EC4D4500C0D04FF40144D210
                                                                                                                                                                                                            Function 6F82A890 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00003000,?), ref: 6F82A91B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocVirtual
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4275171209-0
                                                                                                                                                                                                            • Opcode ID: 29235d3f8b3edd515f545f5c2f0a8aed7696cf98a0c1e2bf9f381bb6ae05720d
                                                                                                                                                                                                            • Instruction ID: 4be5cc7baefd445180227f86fb7245382755d75c26d5766f4828748248b98630
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 29235d3f8b3edd515f545f5c2f0a8aed7696cf98a0c1e2bf9f381bb6ae05720d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0B11CB313042059FEB04CA64C885B9A73E5EF853A8F1548FAE944CF281D722B8C7D7D2

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 6F82ED00 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 273networkCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82ED1D
                                                                                                                                                                                                            • memcpy.MSVCR100(00000008,?,?), ref: 6F82ED79
                                                                                                                                                                                                            • mprGetSocketInfo.LIBMPR(6F83C864,?,?,?,?,?), ref: 6F82EDE7
                                                                                                                                                                                                            • socket.WS2_32(?,00000001,?), ref: 6F82EE0A
                                                                                                                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,000000FF,?,00000004), ref: 6F82EE40
                                                                                                                                                                                                            • setsockopt.WS2_32(FFFFFFFF), ref: 6F82EE95
                                                                                                                                                                                                            • closesocket.WS2_32(FFFFFFFF), ref: 6F82EEAE
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82EEC3
                                                                                                                                                                                                            • bind.WS2_32(FFFFFFFF,?,?), ref: 6F82EEE2
                                                                                                                                                                                                            • _errno.MSVCR100 ref: 6F82EEFA
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000003,Cannot bind, address %s:%d already in use,?,?), ref: 6F82EF1A
                                                                                                                                                                                                            • _errno.MSVCR100 ref: 6F82EF2F
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000003,Cannot bind, address %s:%d errno,?,?), ref: 6F82EF41
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 6F82EF49
                                                                                                                                                                                                            • closesocket.WS2_32(FFFFFFFF), ref: 6F82EF63
                                                                                                                                                                                                            • SetLastError.KERNEL32(?), ref: 6F82EF6E
                                                                                                                                                                                                            • listen.WS2_32(FFFFFFFF,7FFFFFFF), ref: 6F82EF8D
                                                                                                                                                                                                            • mprGetOsError.LIBMPR ref: 6F82EFA2
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000003,Listen error %d,00000000), ref: 6F82EFAF
                                                                                                                                                                                                            • setsockopt.WS2_32(FFFFFFFF,0000FFFF,00000004,?,00000004), ref: 6F82EFDC
                                                                                                                                                                                                            • mprSetSocketBlockingMode.LIBMPR(?), ref: 6F82EFE8
                                                                                                                                                                                                            • mprSetSocketNoDelay.LIBMPR(?,00000001), ref: 6F82EFFB
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82F00B
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Cannot bind, address %s:%d already in use, xrefs: 6F82EF13
                                                                                                                                                                                                            • Cannot bind, address %s:%d errno, xrefs: 6F82EF3A
                                                                                                                                                                                                            • Listen error %d, xrefs: 6F82EFA8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalErrorProcSectionSocketTracesetsockopt$LastLeave_errnoclosesocket$BlockingDelayEnterInfoModebindlistenmemcpysocket
                                                                                                                                                                                                            • String ID: Cannot bind, address %s:%d already in use$Cannot bind, address %s:%d errno$Listen error %d
                                                                                                                                                                                                            • API String ID: 1409988739-2683728519
                                                                                                                                                                                                            • Opcode ID: b7cb102992f8bf039b04d6a6376b9cd1d1bfc39cd7df7dabdef01c08489bfa26
                                                                                                                                                                                                            • Instruction ID: ef201f9c9137c1c261a011e8b872aae5003d14592395200de63d6d3f2c852f89
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b7cb102992f8bf039b04d6a6376b9cd1d1bfc39cd7df7dabdef01c08489bfa26
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E591DCB6604705AFE720DB68C844B5777E8AF85314F008E9DF8958F290E770F985CB95
                                                                                                                                                                                                            Function 6F81DE80 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 166COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Allocation errors %14d, xrefs: 6F81E0C3
                                                                                                                                                                                                            • Free heap memory %14u K, xrefs: 6F81DEE4
                                                                                                                                                                                                            • Memory redline unlimited, xrefs: 6F81DF09
                                                                                                                                                                                                            • Heap max %14u MB (%.2f %%), xrefs: 6F81DF9C
                                                                                                                                                                                                            • Heap redline %14u MB (%.2f %%), xrefs: 6F81E027
                                                                                                                                                                                                            • Total app memory %14u K, xrefs: 6F81DEAB
                                                                                                                                                                                                            • Memory limit unlimited, xrefs: 6F81DF02
                                                                                                                                                                                                            • Allocated memory %14u K, xrefs: 6F81DEC9
                                                                                                                                                                                                            • Heap cache %14u MB (%.2f %%), xrefs: 6F81E0B5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: printf
                                                                                                                                                                                                            • String ID: Allocated memory %14u K$ Allocation errors %14d$ Free heap memory %14u K$ Heap cache %14u MB (%.2f %%)$ Heap max %14u MB (%.2f %%)$ Heap redline %14u MB (%.2f %%)$ Memory limit unlimited$ Memory redline unlimited$ Total app memory %14u K
                                                                                                                                                                                                            • API String ID: 3524737521-797745283
                                                                                                                                                                                                            • Opcode ID: c2942299cd8457d04535971a2bef9aed35f2bf803024bcfe218d9d1cdee8ca14
                                                                                                                                                                                                            • Instruction ID: ab437c7c769ecb8b265243085baa4018038b6371bb00558f8c9d99a1347c853d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c2942299cd8457d04535971a2bef9aed35f2bf803024bcfe218d9d1cdee8ca14
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0551BBB5908B089FC314AF69C85168AFBF4EB85364F518E5DF5A643360DF71A440CF92
                                                                                                                                                                                                            Function 6F835FA0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 152fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprCreateList.LIBMPR(000000FF,00000000), ref: 6F835FC2
                                                                                                                                                                                                            • mprJoinPath.LIBMPR(?,*.*,000000FF,00000000), ref: 6F835FD3
                                                                                                                                                                                                              • Part of subcall function 6F8341E0: sclone.LIBMPR(?), ref: 6F83426B
                                                                                                                                                                                                              • Part of subcall function 6F8341E0: strchr.MSVCR100 ref: 6F834275
                                                                                                                                                                                                              • Part of subcall function 6F8341E0: sjoin.LIBMPR(00000000,?,00000000), ref: 6F83428A
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(00000000,?), ref: 6F836012
                                                                                                                                                                                                            • fmt.LIBMPR(?,00000400,%s%c%s,?,?,00000008), ref: 6F8360E5
                                                                                                                                                                                                            • mprAddItem.LIBMPR(?,00000008,?,00000008), ref: 6F83613C
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(?,?), ref: 6F836152
                                                                                                                                                                                                            • FindClose.KERNEL32(?), ref: 6F836161
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Find$File$CloseCreateFirstItemJoinListNextPathsclonesjoinstrchr
                                                                                                                                                                                                            • String ID: %s%c%s$*.*$.
                                                                                                                                                                                                            • API String ID: 2099375139-1934494419
                                                                                                                                                                                                            • Opcode ID: 5a846e94332f3f3a13aee5afefca874378ee99ca537313bba8bc33ac5c8c611b
                                                                                                                                                                                                            • Instruction ID: 3b1239756a4232d3b4dc7e661662d349eb08259e372dc20ef211fd11fe666483
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a846e94332f3f3a13aee5afefca874378ee99ca537313bba8bc33ac5c8c611b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5251E4769043519FD724CF58C880EABB7F5AF86314F444DADE4998B261D730A909CBD2
                                                                                                                                                                                                            Function 6F82BDF0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150encryptionCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 6F82BE66
                                                                                                                                                                                                            • mprGetError.LIBMPR ref: 6F82BE70
                                                                                                                                                                                                            • CryptGenRandom.ADVAPI32(?,00000004,00000008), ref: 6F82BE7F
                                                                                                                                                                                                            • mprGetError.LIBMPR ref: 6F82BE89
                                                                                                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6F82BE97
                                                                                                                                                                                                            • mprError.LIBMPR(Failed to get random bytes), ref: 6F82BEAC
                                                                                                                                                                                                            • gettimeofday.LIBMPR(?,00000000,Failed to get random bytes), ref: 6F82BEB8
                                                                                                                                                                                                            • _getpid.MSVCR100(?,?,000003E8,00000000,?,?,Failed to get random bytes), ref: 6F82BEF7
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Failed to get random bytes, xrefs: 6F82BEA7
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CryptError$Context$AcquireRandomRelease_getpidgettimeofday
                                                                                                                                                                                                            • String ID: Failed to get random bytes
                                                                                                                                                                                                            • API String ID: 4246189246-1271269013
                                                                                                                                                                                                            • Opcode ID: e8ae3353a744670cc88997e2b298e13ae1eff9f1b41d529a77ec44f07f49da89
                                                                                                                                                                                                            • Instruction ID: 05063ac2135120552044bdc3f459f033b332d564881ce79e29f0c980d44abda4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e8ae3353a744670cc88997e2b298e13ae1eff9f1b41d529a77ec44f07f49da89
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DB41797620D3515BD3008A7C9C81B1B7BD6DF86618F480DE9F681CF282D634F6888BE2
                                                                                                                                                                                                            Function 6F828EF0 Relevance: 12.1, APIs: 8, Instructions: 108networkCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F828F26
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F828F3A
                                                                                                                                                                                                            • mprYield.LIBMPR(00000002), ref: 6F828F6B
                                                                                                                                                                                                            • recvfrom.WS2_32 ref: 6F828F93
                                                                                                                                                                                                            • recv.WS2_32(?,?,?,00000000), ref: 6F828FA3
                                                                                                                                                                                                            • mprResetYield.LIBMPR ref: 6F828FB1
                                                                                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6F828FBA
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F829021
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$LeaveYield$EnterErrorLastResetrecvrecvfrom
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1417606863-0
                                                                                                                                                                                                            • Opcode ID: 0960f95cf491757a45d50a417936c8209b588417e6aef2ce81ee8891bb5bdf41
                                                                                                                                                                                                            • Instruction ID: f3663f5396bbdf3740b506087aa9001f64bed095ebcbed69ae455bfc66268c2e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0960f95cf491757a45d50a417936c8209b588417e6aef2ce81ee8891bb5bdf41
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4131D232A08B088BEB348B64D904757B7E5BF49724F000F9AE59A8B190EB34F584D7D5
                                                                                                                                                                                                            Function 6F8217F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 6F82183C
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F821866
                                                                                                                                                                                                            • _localtime64.MSVCR100 ref: 6F821878
                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 6F821897
                                                                                                                                                                                                              • Part of subcall function 6F819010: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F819021
                                                                                                                                                                                                              • Part of subcall function 6F819010: _localtime64.MSVCR100 ref: 6F819033
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: InformationTimeUnothrow_t@std@@@Zone__ehfuncinfo$??2@_localtime64
                                                                                                                                                                                                            • String ID: o
                                                                                                                                                                                                            • API String ID: 1740920007-252678980
                                                                                                                                                                                                            • Opcode ID: 1b99cb57d8524f49c5cd29306680993ec04bbcdcede68f867172777c5087eda4
                                                                                                                                                                                                            • Instruction ID: 99c14e650c2022ec38f20f9c4298d1cd02dec39551dd435f1eb7f8df1d05fdf9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b99cb57d8524f49c5cd29306680993ec04bbcdcede68f867172777c5087eda4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 932183726083059BE714DF68D880B6FB7E9EB84304F404D6AB445DB290DB75E908CBE2
                                                                                                                                                                                                            Function 6F82C7A0 Relevance: 7.6, APIs: 5, Instructions: 90encryptionCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 6F82C80C
                                                                                                                                                                                                            • mprGetError.LIBMPR ref: 6F82C816
                                                                                                                                                                                                            • CryptGenRandom.ADVAPI32(?,?,00000008), ref: 6F82C824
                                                                                                                                                                                                            • mprGetError.LIBMPR ref: 6F82C82E
                                                                                                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6F82C83C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Crypt$ContextError$AcquireRandomRelease
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1312025126-0
                                                                                                                                                                                                            • Opcode ID: e1ea5c1daad93273e30c8a80092a3b9e84ab6a4edf251bf4bc726bdff535c451
                                                                                                                                                                                                            • Instruction ID: 081eb8eb88aeb07ba9fb56e70aa1d4bbaacf0f8ae44be40fbf50c1bda698a274
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e1ea5c1daad93273e30c8a80092a3b9e84ab6a4edf251bf4bc726bdff535c451
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4E21F1B770874A5BD7108ABC9C84B27B6D89F57378F104EA9E510CF192E761F89882E0
                                                                                                                                                                                                            Function 6F82C630 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • sfmt.LIBMPR(%s:%s,?,?), ref: 6F82C691
                                                                                                                                                                                                            • mprEncode64Block.LIBMPR(00000008,00000018), ref: 6F82C75F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BlockEncode64sfmt
                                                                                                                                                                                                            • String ID: %s:%s$hprOBnaeloheSredDyrctbuo
                                                                                                                                                                                                            • API String ID: 2078847154-176781231
                                                                                                                                                                                                            • Opcode ID: 6181a9e584abde071a605b4911ea3358df67545a9a2422e2d8c37f13815ec6d3
                                                                                                                                                                                                            • Instruction ID: 117165c4b9eefe0f58b0eb830ee0152b20a66910cb8cd35342095e5595687dc2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6181a9e584abde071a605b4911ea3358df67545a9a2422e2d8c37f13815ec6d3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E641D3B56086019FD704CF2CD841AA6B7E0BF86324F008AAEE858CB341DB75F994CBC1
                                                                                                                                                                                                            Function 6F835C90 Relevance: 43.8, APIs: 11, Strings: 14, Instructions: 85COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,Configuration for %s,?), ref: 6F835CAE
                                                                                                                                                                                                              • Part of subcall function 6F826F20: mprPrintfCore.LIBMPR(?,00002000,?,?), ref: 6F826F52
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,---------------------------------------------), ref: 6F835CCA
                                                                                                                                                                                                              • Part of subcall function 6F826F20: mprDefaultLogHandler.LIBMPR(00000080,?,00000000), ref: 6F826F98
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,Version: %s,4.6.0.10), ref: 6F835CEB
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,BuildType: %s,Release), ref: 6F835D0C
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,CPU: %s,x86), ref: 6F835D2D
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,OS: %s,windows), ref: 6F835D4E
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,Host: %s,?), ref: 6F835D6A
                                                                                                                                                                                                            • mprGetCurrentPath.LIBMPR ref: 6F835D7C
                                                                                                                                                                                                              • Part of subcall function 6F833CA0: _getcwd.MSVCR100 ref: 6F833CBD
                                                                                                                                                                                                              • Part of subcall function 6F833CA0: mprGetAbsPath.LIBMPR(6F83BC50), ref: 6F833CCF
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,Directory: %s,00000000), ref: 6F835D88
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,Configure: %s,me configure --nocross --release --platform windows-x86-default --with openssl=C:/openssl-1.0.1h --with esp --without sqlite --without est), ref: 6F835DA5
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,---------------------------------------------), ref: 6F835DBD
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ProcTrace$Path$CoreCurrentDefaultHandlerPrintf_getcwd
                                                                                                                                                                                                            • String ID: ---------------------------------------------$4.6.0.10$BuildType: %s$CPU: %s$Configuration for %s$Configure: %s$Directory: %s$Host: %s$OS: %s$Release$Version: %s$me configure --nocross --release --platform windows-x86-default --with openssl=C:/openssl-1.0.1h --with esp --without sqlite --without est$windows$x86
                                                                                                                                                                                                            • API String ID: 1495325220-1951094172
                                                                                                                                                                                                            • Opcode ID: 228ce084d56c71ed208f5130d2bac392184aa2d87bd877856a6bab55ed32af3b
                                                                                                                                                                                                            • Instruction ID: d2a5677d96c5ec42696edee691fe3a2be1d2aafb349a75e3b0e3c0052f6f3da0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 228ce084d56c71ed208f5130d2bac392184aa2d87bd877856a6bab55ed32af3b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D821D133D01A35BBCA01D79CE849C4937D49B03A0DB05CCE6F4045F27AD724AA95CAD6
                                                                                                                                                                                                            Function 6F836D10 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 173libraryloaderCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 6F836D3C
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?), ref: 6F836D51
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,Activating native module %s), ref: 6F836D7B
                                                                                                                                                                                                            • mprSearchForModule.LIBMPR(?), ref: 6F836D8C
                                                                                                                                                                                                            • mprGetCurrentPath.LIBMPR(?), ref: 6F836DA8
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot find module "%s", cwd: "%s", search path "%s",?,00000000,?), ref: 6F836DB7
                                                                                                                                                                                                            • mprGetPathBase.LIBMPR(?), ref: 6F836E03
                                                                                                                                                                                                              • Part of subcall function 6F820000: mprAllocFast.LIBMPR(00000001), ref: 6F82000B
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,Loading native module %s,00000000), ref: 6F836E1F
                                                                                                                                                                                                              • Part of subcall function 6F826F20: mprPrintfCore.LIBMPR(?,00002000,?,?), ref: 6F826F52
                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 6F836E2B
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 6F836E37
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot load module %sReason: "%d",?,00000000), ref: 6F836E53
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000002), ref: 6F836E7E
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot load module %sReason: can't find function "%s",?,00000002), ref: 6F836E90
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 6F836E99
                                                                                                                                                                                                            • mprError.LIBMPR(Initialization for module %s failed), ref: 6F836ECC
                                                                                                                                                                                                              • Part of subcall function 6F827010: mprPrintfCore.LIBMPR(?,00002000,?,?,6F825F72,Cannot open log file %s,?), ref: 6F827042
                                                                                                                                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 6F836ED5
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Initialization for module %s failed, xrefs: 6F836EC7
                                                                                                                                                                                                            • Cannot load module %sReason: can't find function "%s", xrefs: 6F836E8B
                                                                                                                                                                                                            • Cannot load module %sReason: "%d", xrefs: 6F836E4E
                                                                                                                                                                                                            • Loading native module %s, xrefs: 6F836E18
                                                                                                                                                                                                            • Activating native module %s, xrefs: 6F836D74
                                                                                                                                                                                                            • Cannot find module "%s", cwd: "%s", search path "%s", xrefs: 6F836DB2
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Error$Proc$Library$AddressCoreFreeModulePathPrintfTrace$AllocBaseCurrentFastHandleLastLoadSearch
                                                                                                                                                                                                            • String ID: Activating native module %s$Cannot find module "%s", cwd: "%s", search path "%s"$Cannot load module %sReason: "%d"$Cannot load module %sReason: can't find function "%s"$Initialization for module %s failed$Loading native module %s
                                                                                                                                                                                                            • API String ID: 3526622940-647770071
                                                                                                                                                                                                            • Opcode ID: 55f3e7b5c4a61d1b016f9e7ee1e1450846953b450962c239fe6d97ab3bb337a1
                                                                                                                                                                                                            • Instruction ID: d1ef5baab63c587b7140d38fee7ca23b70de96ee3fc0d25bd6a809523761d660
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 55f3e7b5c4a61d1b016f9e7ee1e1450846953b450962c239fe6d97ab3bb337a1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9519577A00710ABCB14DBADC845E2B73E5AF8A214F544DADE459CB3A0DB31E844CBD1
                                                                                                                                                                                                            Function 6F825E50 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 187fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprSpinLock.LIBMPR(?), ref: 6F825F1C
                                                                                                                                                                                                            • mprSetLogFile.LIBMPR(00000000), ref: 6F825F26
                                                                                                                                                                                                            • mprBackupLog.LIBMPR(?,?,00000000), ref: 6F825F38
                                                                                                                                                                                                            • mprOpenFile.LIBMPR(?,00004101,000001B4,?,?,00000000), ref: 6F825F50
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot open log file %s,?), ref: 6F825F6D
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F825F9D
                                                                                                                                                                                                            • mprSetLogFile.LIBMPR(00000000), ref: 6F825FA9
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F825FCE
                                                                                                                                                                                                            • mprWriteFile.LIBMPR(?,6F83BA88,00000001), ref: 6F825FE8
                                                                                                                                                                                                            • fmt.LIBMPR(?,00002000,%s: %d: %s,?,?,?), ref: 6F82601A
                                                                                                                                                                                                            • mprWriteFile.LIBMPR(?,?,?), ref: 6F826040
                                                                                                                                                                                                            • mprWriteFileString.LIBMPR(?,?), ref: 6F826054
                                                                                                                                                                                                            • fmt.LIBMPR(?,00002000,%s: %s: %s,?,Warning,?), ref: 6F826091
                                                                                                                                                                                                            • mprWriteToOsLog.LIBMPR(?,?,?,?,00002000,%s: %s: %s,?,Warning,?), ref: 6F8260A4
                                                                                                                                                                                                            • mprWriteFileString.LIBMPR(?,?,?,?,?,?,00002000,%s: %s: %s,?,Warning,?), ref: 6F8260AF
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$Write$CriticalLeaveSectionString$BackupErrorLockOpenSpin
                                                                                                                                                                                                            • String ID: %s: %d: %s$%s: %s: %s$Cannot open log file %s$Error$Fatal$Warning
                                                                                                                                                                                                            • API String ID: 706791017-2135178579
                                                                                                                                                                                                            • Opcode ID: 4d39343a4ad5a4304c7645c9b3eae6696b908f9aff4cd751b861b8e9ebd29432
                                                                                                                                                                                                            • Instruction ID: b94f109b9b8fb85cdf1fb9b4a905f9dbb67be7f9cd9f41cdc0ca9b4c7526b57e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4d39343a4ad5a4304c7645c9b3eae6696b908f9aff4cd751b861b8e9ebd29432
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D35108B1604301ABDB18DB18C849FA773E8AB85308F148DE9F9044F295DB75F985CBD2
                                                                                                                                                                                                            Function 6F823590 Relevance: 35.3, APIs: 9, Strings: 11, Instructions: 279COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: gettimeofday
                                                                                                                                                                                                            • String ID: %H:%M:%S %Z %Y$%a %b %d %H:%M:%S %Z %Y$%a %b %d %T %Y %Z$%s %d %s$0123456789ABCDEF$AaBbCcDdEeFHhIjklMmnOPpRrSsTtUuvWwXxYyZz+%$TZ=$Y-%m-%d$a %b$a %b %d %H:%M:%S %Z %Y$m/%d/%y
                                                                                                                                                                                                            • API String ID: 910392884-3310071870
                                                                                                                                                                                                            • Opcode ID: efadb9312bf271e7c6eaec3474699dae33bff905b6fc39fdd272ae51ce2aad80
                                                                                                                                                                                                            • Instruction ID: 020b23d2d1b49bb0c2e1bb8783683c04d4904269a641c9a64aca948e0bbe0eae
                                                                                                                                                                                                            • Opcode Fuzzy Hash: efadb9312bf271e7c6eaec3474699dae33bff905b6fc39fdd272ae51ce2aad80
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B9105B25087959FD724CE68986579B7BE5AF86300F044EE9E8898F341E730ED84C7D2
                                                                                                                                                                                                            Function 6F835490 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 165memorystringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • strstr.MSVCR100 ref: 6F8354AF
                                                                                                                                                                                                            • sjoin.LIBMPR(?,6F83BC0C,?,00000000,00000000,00000020,?,?,?,?,00000000,00000000), ref: 6F8354D4
                                                                                                                                                                                                              • Part of subcall function 6F82F4E0: sjoinv.LIBMPR(?,?), ref: 6F82F4EA
                                                                                                                                                                                                            • mprMakeArgv.LIBMPR(?,00000060,00000001,00000000,00000020,?,?,?,?,00000000,00000000), ref: 6F8354EA
                                                                                                                                                                                                            • mprAllocMem.LIBMPR(00000004,00000002,00000000,00000000,?,6F838BFB,?,6F83BC50,00000000,00000000,00000000,00000020), ref: 6F83550A
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,?,00000000,00000004,00000002,00000000,00000000,?,6F838BFB,?,6F83BC50,00000000,00000000,00000000,00000020), ref: 6F835515
                                                                                                                                                                                                            • mprIsPathAbs.LIBMPR(?,6F83BC50,00000000,00000000,00000000,00000020,?,?,?,?,00000000,00000000), ref: 6F835526
                                                                                                                                                                                                            • mprGetAppPath.LIBMPR(?,6F83BC50,00000000,00000000,00000000,00000020,?,?,?,?,00000000,00000000), ref: 6F835532
                                                                                                                                                                                                            • mprGetAppPath.LIBMPR(?,6F83BC50,00000000,00000000,00000000,00000020,?,?,?,?,00000000,00000000), ref: 6F835541
                                                                                                                                                                                                            • memcpy.MSVCR100(00000008,00000000,00000001,?,?,6F83BC50,00000000,00000000,00000000,00000020,?,?,?,?,00000000,00000000), ref: 6F835594
                                                                                                                                                                                                            • mprAllocMem.LIBMPR(00000008,00000002,00000020,?,?,?,?,00000000,00000000), ref: 6F8355DF
                                                                                                                                                                                                            • mprGetPathBase.LIBMPR(?,?,?,00000020,?,?,?,?,00000000,00000000), ref: 6F8355FC
                                                                                                                                                                                                            • mprTrimPathExt.LIBMPR(00000000,?,?,?,00000020,?,?,?,?,00000000,00000000), ref: 6F835602
                                                                                                                                                                                                            • stitle.LIBMPR(00000000,00000000,?,?,?,00000020,?,?,?,?,00000000,00000000), ref: 6F83560B
                                                                                                                                                                                                            • stitle.LIBMPR(RDM Corporation,00000000,?,?,?,?,?,00000020,?,?,?,?,00000000,00000000), ref: 6F835619
                                                                                                                                                                                                            • sfmt.LIBMPR(%s %s,00000000,00000000,?,?,?,?,?,00000020,?,?,?,?,00000000,00000000), ref: 6F835627
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Path$Allocmemcpystitle$ArgvBaseMakeTrimsfmtsjoinsjoinvstrstr
                                                                                                                                                                                                            • String ID: %s %s$--cygroot$4.6.0.10$RDM Corporation$RDMAppweb
                                                                                                                                                                                                            • API String ID: 2652245442-1530887886
                                                                                                                                                                                                            • Opcode ID: df240af195b663fcb6346077f3d0c8501de704a3938d43402c523cedc6e229ca
                                                                                                                                                                                                            • Instruction ID: 19cbee088e37b253c50d198e9f119c5cfbcf4749f4dd63e56c96526a6288f460
                                                                                                                                                                                                            • Opcode Fuzzy Hash: df240af195b663fcb6346077f3d0c8501de704a3938d43402c523cedc6e229ca
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D51ABB6D00362ABCB148FACDC85B4A7BA5AF46304F0589E5DC049F2A6E774F804CBD1
                                                                                                                                                                                                            Function 6F82BC70 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 130processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • memset.MSVCR100 ref: 6F82BC7C
                                                                                                                                                                                                            • _get_osfhandle.MSVCR100 ref: 6F82BCD2
                                                                                                                                                                                                            • __iob_func.MSVCR100 ref: 6F82BCD9
                                                                                                                                                                                                            • _fileno.MSVCR100 ref: 6F82BCDC
                                                                                                                                                                                                            • _get_osfhandle.MSVCR100 ref: 6F82BCDF
                                                                                                                                                                                                            • _get_osfhandle.MSVCR100 ref: 6F82BCF9
                                                                                                                                                                                                            • __iob_func.MSVCR100 ref: 6F82BD00
                                                                                                                                                                                                            • _fileno.MSVCR100 ref: 6F82BD06
                                                                                                                                                                                                            • _get_osfhandle.MSVCR100 ref: 6F82BD09
                                                                                                                                                                                                            • _get_osfhandle.MSVCR100 ref: 6F82BD23
                                                                                                                                                                                                            • __iob_func.MSVCR100 ref: 6F82BD2A
                                                                                                                                                                                                            • _fileno.MSVCR100 ref: 6F82BD30
                                                                                                                                                                                                            • _get_osfhandle.MSVCR100 ref: 6F82BD33
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,?,?,?), ref: 6F82BD65
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 6F82BD72
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot create process: %s, %d,?,00000000), ref: 6F82BD8D
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot create process: %s, directory %s is invalid,?,?), ref: 6F82BDB1
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • D, xrefs: 6F82BC87
                                                                                                                                                                                                            • Cannot create process: %s, directory %s is invalid, xrefs: 6F82BDAC
                                                                                                                                                                                                            • Cannot create process: %s, %d, xrefs: 6F82BD88
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _get_osfhandle$Error__iob_func_fileno$CreateLastProcessmemset
                                                                                                                                                                                                            • String ID: Cannot create process: %s, %d$Cannot create process: %s, directory %s is invalid$D
                                                                                                                                                                                                            • API String ID: 2401045954-2723656400
                                                                                                                                                                                                            • Opcode ID: dcd30d9aad04af4d14a10db0963e634f60e9602aac6c67ac726a0282e5f57870
                                                                                                                                                                                                            • Instruction ID: 2d612cab355a54e4eaad1ae498c5ba2d04da42952efe283162581d177b0a3c1a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dcd30d9aad04af4d14a10db0963e634f60e9602aac6c67ac726a0282e5f57870
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D41D2B1A04700ABE714DBB9DC45B5B73E8AF85304F004D6CF5858B390EB75F8488B96
                                                                                                                                                                                                            Function 6F828CB0 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 175networkCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprYield.LIBMPR(00000002), ref: 6F828CE9
                                                                                                                                                                                                              • Part of subcall function 6F827940: mprGetCurrentThread.LIBMPR ref: 6F82794D
                                                                                                                                                                                                            • accept.WS2_32(?,?,00000080), ref: 6F828CFF
                                                                                                                                                                                                            • mprResetYield.LIBMPR ref: 6F828D0D
                                                                                                                                                                                                            • mprGetError.LIBMPR ref: 6F828D17
                                                                                                                                                                                                            • mprCreateSocket.LIBMPR ref: 6F828D37
                                                                                                                                                                                                            • closesocket.WS2_32(00000000), ref: 6F828D43
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F828D7D
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F828D96
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,Rejecting connection, too many client connections (%d),00000000), ref: 6F828DB2
                                                                                                                                                                                                            • mprCloseSocket.LIBMPR(00000000,00000000), ref: 6F828DBD
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Rejecting connection, too many client connections (%d), xrefs: 6F828DAB
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSectionSocketYield$CloseCreateCurrentEnterErrorLeaveProcResetThreadTraceacceptclosesocket
                                                                                                                                                                                                            • String ID: Rejecting connection, too many client connections (%d)
                                                                                                                                                                                                            • API String ID: 1557811576-2167765890
                                                                                                                                                                                                            • Opcode ID: e09371658699a3d27d3b77ed48371d2ed2d403e47546f262a9b550f57cc5c3bc
                                                                                                                                                                                                            • Instruction ID: 90daca9dd58030330d10bfbf12ca7e8029b220acda50244c4b2cdcc8e76e85c8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e09371658699a3d27d3b77ed48371d2ed2d403e47546f262a9b550f57cc5c3bc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2761D271608706ABDB14DF64C845B9BB7E8BF44314F004E9EE9498B181EB74F558CBE2
                                                                                                                                                                                                            Function 6F81E550 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 136memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: __iob_func$fputcfputs$AllocFast_getchexitiscntrlmemcpy
                                                                                                                                                                                                            • String ID: Password: $^C
                                                                                                                                                                                                            • API String ID: 543249824-30489916
                                                                                                                                                                                                            • Opcode ID: 04e70a8b8f74adcc4a23549c89c46df9ec666bb53c379695ca81435289fd6d77
                                                                                                                                                                                                            • Instruction ID: 7c39fd61bb22f40604fbc85d1234ff1c6e851806dcb062e8b9fd591d5a82175c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04e70a8b8f74adcc4a23549c89c46df9ec666bb53c379695ca81435289fd6d77
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 814168B290C7425BE724D7788C447AE76949F82314F450FE1E8A58F6A0E755B804C7E3
                                                                                                                                                                                                            Function 6F835670 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 230COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 6F826DF0: mprDestroyWaitHandler.LIBMPR(?,?,?,?,?,6F826ECE,?,00000000), ref: 6F826E17
                                                                                                                                                                                                              • Part of subcall function 6F826DF0: _close.MSVCR100 ref: 6F826E2D
                                                                                                                                                                                                              • Part of subcall function 6F826DF0: _close.MSVCR100 ref: 6F826E40
                                                                                                                                                                                                              • Part of subcall function 6F826DF0: TerminateProcess.KERNEL32(?,00000002,?,?,?,?,6F826ECE,?,00000000), ref: 6F826E87
                                                                                                                                                                                                            • sclone.LIBMPR(?,?,00000000), ref: 6F8356BA
                                                                                                                                                                                                              • Part of subcall function 6F81C720: mprAllocFast.LIBMPR(?), ref: 6F81C744
                                                                                                                                                                                                              • Part of subcall function 6F81C720: memcpy.MSVCR100(00000000,?,?), ref: 6F81C755
                                                                                                                                                                                                              • Part of subcall function 6F82BAA0: strrchr.MSVCR100 ref: 6F82BB39
                                                                                                                                                                                                            • mprSearchPath.LIBMPR(?,00000001,?,00000000), ref: 6F83572A
                                                                                                                                                                                                            • mprGetOsError.LIBMPR ref: 6F835744
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000001,cmd: can't access %s, errno %d,00000000,00000000), ref: 6F835754
                                                                                                                                                                                                            • mprGetPathInfo.LIBMPR(00000000,?), ref: 6F835781
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000001,cmd: program "%s", is a directory,00000000), ref: 6F8357A6
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000004,mprStartCmd %s), ref: 6F8357C6
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000006, arg[%d]: %s,00000000), ref: 6F8357F8
                                                                                                                                                                                                            • mprGetNextItem.LIBMPR(?,?), ref: 6F835813
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000006, env[%d]: %s,?,00000000), ref: 6F835837
                                                                                                                                                                                                            • mprGetNextItem.LIBMPR(?,?), ref: 6F835848
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ProcTrace$ItemNextPath_close$AllocDestroyErrorFastHandlerInfoProcessSearchTerminateWaitmemcpysclonestrrchr
                                                                                                                                                                                                            • String ID: arg[%d]: %s$ env[%d]: %s$cmd: can't access %s, errno %d$cmd: program "%s", is a directory$mprStartCmd %s$pollWinTimer
                                                                                                                                                                                                            • API String ID: 2887012261-788276503
                                                                                                                                                                                                            • Opcode ID: 771eeb67982cc5c585827cd67043eb0f3a9a148cc6d1015a474db5ccf9042c01
                                                                                                                                                                                                            • Instruction ID: 928cd81f0a17cdf34e4605c3415dca45d26fd7f3e4a1eaf29ed2cb3f1ff47cdb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 771eeb67982cc5c585827cd67043eb0f3a9a148cc6d1015a474db5ccf9042c01
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24719173A04312ABD314DF9CD881A1BB3E5AF95218F504DAEE5468F2A1E731F944CBD2
                                                                                                                                                                                                            Function 6F829390 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82943A
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F829467
                                                                                                                                                                                                            • mprLookupItem.LIBMPR(?,?), ref: 6F82946F
                                                                                                                                                                                                            • mprRemoveItemAtPos.LIBMPR(?,00000000), ref: 6F82947D
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82948D
                                                                                                                                                                                                            • mprAddItem.LIBMPR(?,?), ref: 6F8294A3
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F8294C1
                                                                                                                                                                                                            • mprWakePendingDispatchers.LIBMPR ref: 6F8294C7
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F8294E1
                                                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 6F8294F8
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F829506
                                                                                                                                                                                                            • mprYield.LIBMPR(00000002), ref: 6F82950E
                                                                                                                                                                                                            • mprWaitForCond.LIBMPR(?,000000FF,000000FF,00000002), ref: 6F82951B
                                                                                                                                                                                                            • mprResetYield.LIBMPR ref: 6F829523
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F829546
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F829561
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000006,Worker exiting. There are %d workers remaining in the pool.,00000000), ref: 6F82957E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Worker exiting. There are %d workers remaining in the pool., xrefs: 6F829577
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$Item$Yield$CondDispatchersEventLookupPendingProcRemoveResetTraceWaitWake
                                                                                                                                                                                                            • String ID: Worker exiting. There are %d workers remaining in the pool.
                                                                                                                                                                                                            • API String ID: 2239124211-820293787
                                                                                                                                                                                                            • Opcode ID: 3003fff8ee67025e8a140c92519d8d16648b6be0e389a981fa9e8424b4d4ac03
                                                                                                                                                                                                            • Instruction ID: 9077fc62e03c8e2da4fc708d4e4540bff3ac1cf55be7b6abe61a44d3d5f943ca
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3003fff8ee67025e8a140c92519d8d16648b6be0e389a981fa9e8424b4d4ac03
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A51BF75604B06ABDB14CFA5D888B56B7E8BF45314F008ED9E8198F255D730F894DBE0
                                                                                                                                                                                                            Function 6F823636 Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 212stringmemoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • strchr.MSVCR100 ref: 6F823694
                                                                                                                                                                                                            • fmt.LIBMPR(?,000000FF,%s %d %s,a %b,?,%H:%M:%S %Z %Y), ref: 6F8236CC
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F8237A7
                                                                                                                                                                                                            • memmove.MSVCR100(?,000000FD,?,?,?,0000000A,00000000), ref: 6F8237E9
                                                                                                                                                                                                            • _putenv.MSVCR100 ref: 6F823FCD
                                                                                                                                                                                                            • strftime.MSVCR100 ref: 6F823FE6
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(?), ref: 6F824014
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,?,?), ref: 6F82402C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFastUnothrow_t@std@@@__ehfuncinfo$??2@_putenvmemcpymemmovestrchrstrftime
                                                                                                                                                                                                            • String ID: %H:%M:%S %Z %Y$%a %b %d %H:%M:%S %Z %Y$%s %d %s$0123456789ABCDEF$AaBbCcDdEeFHhIjklMmnOPpRrSsTtUuvWwXxYyZz+%$TZ=$Y-%m-%d$a %b$m/%d/%y
                                                                                                                                                                                                            • API String ID: 1563257558-1723969268
                                                                                                                                                                                                            • Opcode ID: b0d71c8a555d2f6642c31764de5700217b003e97d69b0a711fc684e9a991ff60
                                                                                                                                                                                                            • Instruction ID: 35ef5b0e1dfe9c646ce75992c1e2648e7464f07027bf13e1fa5d33943ebeb9c1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b0d71c8a555d2f6642c31764de5700217b003e97d69b0a711fc684e9a991ff60
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 317125B2508B959FDB248F68D86579A7BE1AF86300F044DE9E8858F341E730F985C7D2
                                                                                                                                                                                                            Function 6F8337B0 Relevance: 28.8, APIs: 19, Instructions: 284COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprCreateJson.LIBMPR(00000001), ref: 6F8337CE
                                                                                                                                                                                                              • Part of subcall function 6F815320: memset.MSVCR100 ref: 6F815371
                                                                                                                                                                                                            • mprLookupJsonObj.LIBMPR(?,?), ref: 6F83385D
                                                                                                                                                                                                            • mprCreateJson.LIBMPR(00000001), ref: 6F83387F
                                                                                                                                                                                                            • sclone.LIBMPR(?), ref: 6F833892
                                                                                                                                                                                                            • mprBlendJson.LIBMPR(00000000,?,?), ref: 6F8338AE
                                                                                                                                                                                                            • sclone.LIBMPR(?), ref: 6F8338DD
                                                                                                                                                                                                            • mprCloneJson.LIBMPR(?), ref: 6F8338E8
                                                                                                                                                                                                            • mprCreateJson.LIBMPR(?), ref: 6F83392C
                                                                                                                                                                                                            • mprBlendJson.LIBMPR(00000000,?,00000010), ref: 6F83394C
                                                                                                                                                                                                            • sspace.LIBMPR(?), ref: 6F833965
                                                                                                                                                                                                            • mprRemoveJsonChild.LIBMPR(?,00000000), ref: 6F833973
                                                                                                                                                                                                            • mprLookupJsonValue.LIBMPR(?,?), ref: 6F8339B2
                                                                                                                                                                                                            • mprRemoveJsonChild.LIBMPR(?,00000000), ref: 6F8339C0
                                                                                                                                                                                                            • mprLookupJsonValue.LIBMPR(?,?), ref: 6F8339F3
                                                                                                                                                                                                            • mprCloneJson.LIBMPR(?), ref: 6F833A00
                                                                                                                                                                                                            • mprCloneJson.LIBMPR(?), ref: 6F833A29
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Json$CloneCreateLookup$BlendChildRemoveValuesclone$memsetsspace
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1132256894-0
                                                                                                                                                                                                            • Opcode ID: ca16cb62322faae01b4d7ac39a21b05d0d2e597d87be448fd219da8b0f477276
                                                                                                                                                                                                            • Instruction ID: 2fc56ac883f3469c152d7d339d223f1dad8a54d488f5d0d49689d924bcb2f401
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ca16cb62322faae01b4d7ac39a21b05d0d2e597d87be448fd219da8b0f477276
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B913673D08711ABD704DE98D88295BB3E4AF85358F040EA9EC996F261D335FD0687D2
                                                                                                                                                                                                            Function 6F8375E0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 183filestringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • sclone.LIBMPR(?), ref: 6F837642
                                                                                                                                                                                                            • strrchr.MSVCR100 ref: 6F837654
                                                                                                                                                                                                            • isdigit.MSVCR100 ref: 6F83766B
                                                                                                                                                                                                            • atoi.MSVCR100(00000001), ref: 6F83767C
                                                                                                                                                                                                            • mprSetLogFile.LIBMPR(00000000), ref: 6F8376D4
                                                                                                                                                                                                            • mprLogHeader.LIBMPR ref: 6F8376E3
                                                                                                                                                                                                            • mprGetPathInfo.LIBMPR(00000000,?), ref: 6F837765
                                                                                                                                                                                                            • mprBackupLog.LIBMPR(00000000,?), ref: 6F83779E
                                                                                                                                                                                                            • mprOpenFile.LIBMPR(00000000,-00000200,000001B4), ref: 6F8377AD
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot open log file %s,00000000), ref: 6F8377C3
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$BackupErrorHeaderInfoOpenPathatoiisdigitsclonestrrchr
                                                                                                                                                                                                            • String ID: Cannot open log file %s$none$stderr$stderr:0$stdout
                                                                                                                                                                                                            • API String ID: 244666889-1384815291
                                                                                                                                                                                                            • Opcode ID: 12ffe7b50f803785fa0bc4acbda3ac41648765e142611f1d709ddd818d7ac79c
                                                                                                                                                                                                            • Instruction ID: 6a3d721e3df1bac50d71ed4c65753e1152359f467e5e20ec7875769a5a0fc587
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 12ffe7b50f803785fa0bc4acbda3ac41648765e142611f1d709ddd818d7ac79c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 47512AB3D0C2719BDB148ABC889175A77A65F52258F044EE9DC958F2B1F723E808C7D1
                                                                                                                                                                                                            Function 6F829F50 Relevance: 26.3, APIs: 6, Strings: 9, Instructions: 85COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprPrintf.LIBMPR(%12s All tests PASSED for "%s",[REPORT],?), ref: 6F829F72
                                                                                                                                                                                                              • Part of subcall function 6F8230F0: mprPrintfCore.LIBMPR(00000000,000000FF,?,?), ref: 6F8230FE
                                                                                                                                                                                                              • Part of subcall function 6F8230F0: mprWriteFile.LIBMPR(?,00000000,00000001), ref: 6F82312C
                                                                                                                                                                                                            • gettimeofday.LIBMPR(?,00000000), ref: 6F829F93
                                                                                                                                                                                                            • mprPrintf.LIBMPR(%12s %d tests completed, %d test(s) failed.,[DETAILS],?,?,?,?,000003E8,00000000), ref: 6F829FF8
                                                                                                                                                                                                            • mprPrintf.LIBMPR(%12s Elapsed time: %5.2f seconds.,[BENCHMARK],000003E8,00000000), ref: 6F82A011
                                                                                                                                                                                                            • printf.MSVCR100 ref: 6F82A03C
                                                                                                                                                                                                            • printf.MSVCR100 ref: 6F82A043
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Printf$printf$CoreFileWritegettimeofday
                                                                                                                                                                                                            • String ID: %s$%12s %d tests completed, %d test(s) failed.$%12s All tests PASSED for "%s"$%12s Elapsed time: %5.2f seconds.$-------------$Memory Results$[BENCHMARK]$[DETAILS]$[REPORT]
                                                                                                                                                                                                            • API String ID: 2043300237-4193736893
                                                                                                                                                                                                            • Opcode ID: 184e2ff4abf10ffba1857f4a23a5759e3cc0a601cfbffb9b74d282d15454db3d
                                                                                                                                                                                                            • Instruction ID: 50f33662f881a014cf300c7df34d70ef24cb74d303343263dab6b8bd16950bb7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 184e2ff4abf10ffba1857f4a23a5759e3cc0a601cfbffb9b74d282d15454db3d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2621C172900720ABCB10AF98DC41F5AB3E4FB86319F448DA9F5854A791DB71B898CBD1
                                                                                                                                                                                                            Function 6F8213A0 Relevance: 25.7, APIs: 17, Instructions: 163COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F8213C8
                                                                                                                                                                                                            • mprRemoveEvent.LIBMPR(?), ref: 6F8213D6
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82140D
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F821449
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F821474
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F8214A1
                                                                                                                                                                                                            • mprLookupItem.LIBMPR(?), ref: 6F8214A9
                                                                                                                                                                                                            • mprRemoveItemAtPos.LIBMPR(?,00000000), ref: 6F8214B7
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F8214C7
                                                                                                                                                                                                            • mprAddItem.LIBMPR(00000000), ref: 6F8214DC
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F8214F4
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F821507
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F821526
                                                                                                                                                                                                            • SetEvent.KERNEL32 ref: 6F82153D
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82154F
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F821562
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F821574
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter$Item$EventRemove$Lookup
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3343030829-0
                                                                                                                                                                                                            • Opcode ID: 975f668598ab3bfc6ec10e9e4145f8ba48a43b9e01e75a0d33138421d585d8d9
                                                                                                                                                                                                            • Instruction ID: 86632eb2634043ec3f2179ca56f11c361ef74cced2f13f4e7e761f6b3f1e4c34
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 975f668598ab3bfc6ec10e9e4145f8ba48a43b9e01e75a0d33138421d585d8d9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 14518C76A00F029BDF248F64C848B5677E9AF01B10F254EC9E85A9F650D736F884CBE0
                                                                                                                                                                                                            Function 6F8305B0 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 305memorytimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F830612
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F830666
                                                                                                                                                                                                            • mprAllocMem.LIBMPR(00000038,00000003), ref: 6F830682
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F8306BB
                                                                                                                                                                                                            • mprAddKey.LIBMPR(?,?,00000000), ref: 6F8306D4
                                                                                                                                                                                                            • sclone.LIBMPR(?,?,?,00000000), ref: 6F8306DA
                                                                                                                                                                                                            • memcpy.MSVCR100(00000008,?,?), ref: 6F830783
                                                                                                                                                                                                            • sclone.LIBMPR(?), ref: 6F8307AC
                                                                                                                                                                                                            • sjoin.LIBMPR(?,?,00000000), ref: 6F8307DC
                                                                                                                                                                                                            • mprGetTime.LIBMPR ref: 6F83080D
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F830818
                                                                                                                                                                                                            • mprCreateEvent.LIBMPR(?,localCacheTimer,?,?,Function_00017E60,?,00000009), ref: 6F83089E
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F8308D4
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$sclone$AllocCreateEnterEventTicksTimememcpysjoin
                                                                                                                                                                                                            • String ID: localCacheTimer
                                                                                                                                                                                                            • API String ID: 3146253993-3186840131
                                                                                                                                                                                                            • Opcode ID: 171b4a911bcb67fd01e915c8e3378e4f9ae4b69e735a049f393764eff6579087
                                                                                                                                                                                                            • Instruction ID: 26264fa64c8b54bf2fd2d332bc80bd390c31a47d5109eaa1b43e1b3b88b1fb34
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 171b4a911bcb67fd01e915c8e3378e4f9ae4b69e735a049f393764eff6579087
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1FB1CF76A047119FE714CE68C880B57B7E5AF85708F049EADE8998F261E735F804CBD1
                                                                                                                                                                                                            Function 6F821F60 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 240stringfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • sends.LIBMPR(?,6F83BC50), ref: 6F821FAE
                                                                                                                                                                                                            • sends.LIBMPR(?,6F83BC4C), ref: 6F821FC9
                                                                                                                                                                                                            • strim.LIBMPR(?,6F83BC4C,00000002), ref: 6F821FDD
                                                                                                                                                                                                            • _stat64.MSVCR100 ref: 6F821FF1
                                                                                                                                                                                                            • strrchr.MSVCR100 ref: 6F82201B
                                                                                                                                                                                                            • strpbrk.MSVCR100 ref: 6F82203B
                                                                                                                                                                                                            • sclone.LIBMPR(00000001), ref: 6F82204A
                                                                                                                                                                                                              • Part of subcall function 6F81C720: mprAllocFast.LIBMPR(?), ref: 6F81C744
                                                                                                                                                                                                              • Part of subcall function 6F81C720: memcpy.MSVCR100(00000000,?,?), ref: 6F81C755
                                                                                                                                                                                                            • GetFileAttributesA.KERNEL32(?), ref: 6F82215A
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 6F822181
                                                                                                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 6F822194
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 6F8221A8
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$sends$AllocAttributesCloseCreateFastHandleType_stat64memcpysclonestrimstrpbrkstrrchr
                                                                                                                                                                                                            • String ID: dll$lnk$nul
                                                                                                                                                                                                            • API String ID: 911280172-1818615504
                                                                                                                                                                                                            • Opcode ID: fcd3de2fd4ced08d64a14c1d2c6540e472d22c710ee9fe06e013ae78f92f876e
                                                                                                                                                                                                            • Instruction ID: 63820b325dd57f2e126f017707f0c872253186eefcf3fa3eb51b1db53e66c51c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fcd3de2fd4ced08d64a14c1d2c6540e472d22c710ee9fe06e013ae78f92f876e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C68137716187409FD7248F288880967BBF6AF4A310B444EAEE5D6CF391E736F489C791
                                                                                                                                                                                                            Function 6F82A6C0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 162threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82A6DE
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82A6F9
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82A75C
                                                                                                                                                                                                            • mprRemoveItem.LIBMPR(00000000,?), ref: 6F82A77F
                                                                                                                                                                                                            • mprAddItem.LIBMPR(00000000,?), ref: 6F82A796
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82A7AE
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82A7BE
                                                                                                                                                                                                            • mprSignalCond.LIBMPR(?), ref: 6F82A7CC
                                                                                                                                                                                                            • mprAvailableWorkers.LIBMPR ref: 6F82A7DF
                                                                                                                                                                                                              • Part of subcall function 6F818C90: mprGetWorkerStats.LIBMPR ref: 6F818C98
                                                                                                                                                                                                            • mprStartThread.LIBMPR(?), ref: 6F82A829
                                                                                                                                                                                                            • mprCreateEvent.LIBMPR(00000000,pruneWorkers,0001D4C0,00000000,Function_00017750,?,00000003), ref: 6F82A855
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82A868
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82A87D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$EnterItem$AvailableCondCreateEventRemoveSignalStartStatsThreadWorkerWorkers
                                                                                                                                                                                                            • String ID: pruneWorkers
                                                                                                                                                                                                            • API String ID: 3011891347-266833342
                                                                                                                                                                                                            • Opcode ID: dc8c4ee1308bf00283894b948c149fef6513561b65a6570d523e0d7ed46d3fb6
                                                                                                                                                                                                            • Instruction ID: 40594f5fb1b612b65c49718b29ed3e69a50b798c0ae8a357310698f6fdc47f00
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dc8c4ee1308bf00283894b948c149fef6513561b65a6570d523e0d7ed46d3fb6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90518D76A04B01AFDB24CF28D884B56B3F4BF49B14B008ADAE8559F641D730F881CBE5
                                                                                                                                                                                                            Function 6F832D70 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 292stringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • strchr.MSVCR100 ref: 6F832D83
                                                                                                                                                                                                            • sclone.LIBMPR(?), ref: 6F832D91
                                                                                                                                                                                                              • Part of subcall function 6F81C720: mprAllocFast.LIBMPR(?), ref: 6F81C744
                                                                                                                                                                                                              • Part of subcall function 6F81C720: memcpy.MSVCR100(00000000,?,?), ref: 6F81C755
                                                                                                                                                                                                            • mprCreateBuf.LIBMPR(00000000,00000000), ref: 6F832DA4
                                                                                                                                                                                                            • mprGetJson.LIBMPR(00000000,00000008), ref: 6F832EB4
                                                                                                                                                                                                            • mprPutBlockToBuf.LIBMPR(00000000,?,?), ref: 6F832EEC
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocBlockCreateFastJsonmemcpysclonestrchr
                                                                                                                                                                                                            • String ID: _
                                                                                                                                                                                                            • API String ID: 1886531942-701932520
                                                                                                                                                                                                            • Opcode ID: 5b6ea200c932c0ace484e0d1fa88acfd5fac0227d3da6c473e1c52fd697c48b2
                                                                                                                                                                                                            • Instruction ID: 36db280bbc7a78c333631327d6de20285a1ff95ffd4e08398450a2a91cec6448
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5b6ea200c932c0ace484e0d1fa88acfd5fac0227d3da6c473e1c52fd697c48b2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00A12572E087515FD725CEA8D880B5AB7E1AF41344F044EDDE89A8F262D329F80987E1
                                                                                                                                                                                                            Function 6F833520 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 241COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 6F82E1F0: mprPutBlockToBuf.LIBMPR(?,?,?,00000000,00000004,6F833535,?,00000008,?,00000004,6F835B1F,00000008,00000000), ref: 6F82E24C
                                                                                                                                                                                                              • Part of subcall function 6F82E1F0: mprGrowBuf.LIBMPR(?,00000001), ref: 6F82E4FE
                                                                                                                                                                                                            • memcpy.MSVCR100(00000008,?,?), ref: 6F8335A1
                                                                                                                                                                                                            • mprSetJsonError.LIBMPR(00000008,Expected property name,?,?,?,00000080,00000000), ref: 6F8336E3
                                                                                                                                                                                                            • mprSetJsonError.LIBMPR(00000008,Expected colon), ref: 6F8336F8
                                                                                                                                                                                                            • mprSetJsonError.LIBMPR(00000008,Missing closing brace), ref: 6F83370D
                                                                                                                                                                                                            • mprSetJsonError.LIBMPR(00000008,Missing closing bracket), ref: 6F833722
                                                                                                                                                                                                              • Part of subcall function 6F822AC0: mprPrintfCore.LIBMPR(00000000,000000FF,?,?), ref: 6F822ACF
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorJson$BlockCoreGrowPrintfmemcpy
                                                                                                                                                                                                            • String ID: Expected colon$Expected property name$Missing closing brace$Missing closing bracket$Unexpected input$Unexpected input. Missing comma.
                                                                                                                                                                                                            • API String ID: 3505467696-2771679361
                                                                                                                                                                                                            • Opcode ID: e3af6b73cfa816ad658f88deec229b12df516dcf6b6c557a7917c4362327d9fc
                                                                                                                                                                                                            • Instruction ID: b26153cfb525365f1aa1b408dad1e622d26f59fb77f10980a758ca2ddd7c2c12
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e3af6b73cfa816ad658f88deec229b12df516dcf6b6c557a7917c4362327d9fc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 815107B3E057342BE72195E8AC83B9B7394DF82219F100CFAE906CE661F715F94582D1
                                                                                                                                                                                                            Function 6F826730 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 129networkCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F826749
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F826774
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F826792
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F8267CB
                                                                                                                                                                                                            • WSAAsyncSelect.WS2_32(?,?,?,00000000), ref: 6F8267F0
                                                                                                                                                                                                            • mprRemoveEvent.LIBMPR(?), ref: 6F8267FE
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F826819
                                                                                                                                                                                                            • mprCreateDispatcher.LIBMPR(6F83BF24,00000008), ref: 6F82682C
                                                                                                                                                                                                            • mprCreateEvent.LIBMPR(?,IOEvent,00000000,00000000,6F8196D0,?,00000004), ref: 6F826860
                                                                                                                                                                                                            • mprQueueEvent.LIBMPR(?,00000000,?,IOEvent,00000000,00000000,6F8196D0,?,00000004), ref: 6F826873
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F826888
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82689D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$EnterEvent$Create$AsyncDispatcherQueueRemoveSelect
                                                                                                                                                                                                            • String ID: IOEvent
                                                                                                                                                                                                            • API String ID: 3241292292-2394719699
                                                                                                                                                                                                            • Opcode ID: 11074487e0f8e37cd8b3f3b009656a827dfa62e5c05a00749ef3942ff927c66c
                                                                                                                                                                                                            • Instruction ID: 118510d6ce02b70b2f13631e7e521bae1f131e3215c30fff222eb259f1a146c5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 11074487e0f8e37cd8b3f3b009656a827dfa62e5c05a00749ef3942ff927c66c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 70417C76600B06AFDB258F64D858B1277F5BF86B10F114E89E8669F690DB74F480CBD0
                                                                                                                                                                                                            Function 6F82A4F0 Relevance: 22.7, APIs: 15, Instructions: 168COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82A50F
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82A575
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82A5A7
                                                                                                                                                                                                            • mprLookupItem.LIBMPR(?,00000000), ref: 6F82A5AF
                                                                                                                                                                                                            • mprRemoveItemAtPos.LIBMPR(?,00000000), ref: 6F82A5BD
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82A5CD
                                                                                                                                                                                                            • mprAddItem.LIBMPR(?,00000000), ref: 6F82A5E2
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82A600
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82A61E
                                                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 6F82A635
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82A643
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82A65E
                                                                                                                                                                                                            • _beginthreadex.MSVCR100 ref: 6F82A675
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82A699
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82A6B7
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$Item$EventLookupRemove_beginthreadex
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2007980230-0
                                                                                                                                                                                                            • Opcode ID: 770b3d611133b8f553c353910031acb5c80e86faee2dfbbfe6e6d0befd539ed1
                                                                                                                                                                                                            • Instruction ID: 23099dda92f4b3390bddeddbf6079dd9bbb120f012b2d6e28889b0ba9b3b494d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 770b3d611133b8f553c353910031acb5c80e86faee2dfbbfe6e6d0befd539ed1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9A516A76A04B069BDF248FA4C988B8777E8BF06B10F114D9AE8159F251D734F894CBE0
                                                                                                                                                                                                            Function 6F81BFB0 Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 291memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFastmemcpysprintf
                                                                                                                                                                                                            • String ID: %*.*e$%*.*g$%.*f$VUUU$VUUU
                                                                                                                                                                                                            • API String ID: 3572489130-3146192064
                                                                                                                                                                                                            • Opcode ID: 8ae8862f3a8532335e66f05ae2df9ed254522fb7d2434747e3e81f2e566cb04f
                                                                                                                                                                                                            • Instruction ID: 4958f6a9fd1731b6bcff5df30b727602be7480f613c89be810da2393c7d82512
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8ae8862f3a8532335e66f05ae2df9ed254522fb7d2434747e3e81f2e566cb04f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38B19E716087468FD725CE6CC984A9AB7E1AF86310F048FBDD8D68B742E734E845CB51
                                                                                                                                                                                                            Function 6F81F6A0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 92memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • scaselessmatch.LIBMPR(?,false,?,?,6F822D3E,00000008), ref: 6F81F6BE
                                                                                                                                                                                                            • scaselessmatch.LIBMPR(?,null), ref: 6F81F6D9
                                                                                                                                                                                                              • Part of subcall function 6F81C670: slen.LIBMPR(?), ref: 6F81C6AA
                                                                                                                                                                                                              • Part of subcall function 6F81C670: sncaselesscmp.LIBMPR(?,?,00000000), ref: 6F81C6B5
                                                                                                                                                                                                            • scaselessmatch.LIBMPR(?,true), ref: 6F81F6F7
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(?,?,00000008), ref: 6F81F776
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,?,?,00000008), ref: 6F81F787
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: scaselessmatch$AllocFastmemcpyslensncaselesscmp
                                                                                                                                                                                                            • String ID: false$null$true$undefined
                                                                                                                                                                                                            • API String ID: 186963584-4254195214
                                                                                                                                                                                                            • Opcode ID: 956326a722cd0e6047598f1f2bc43811aeb6f31cc8ffbf1ca8100a0a57a6bda3
                                                                                                                                                                                                            • Instruction ID: 86ab6d5402e5b99ee7f1227617bf4c6af625de84c860035051fa76d5ae4d1193
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 956326a722cd0e6047598f1f2bc43811aeb6f31cc8ffbf1ca8100a0a57a6bda3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE21B9B580C34777EB04DE689C857963F985F22249F008FEAEC469E163E775A24C8291
                                                                                                                                                                                                            Function 6F822FA0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118memoryfileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • sclone.LIBMPR(?), ref: 6F822FB5
                                                                                                                                                                                                              • Part of subcall function 6F81C720: mprAllocFast.LIBMPR(?), ref: 6F81C744
                                                                                                                                                                                                              • Part of subcall function 6F81C720: memcpy.MSVCR100(00000000,?,?), ref: 6F81C755
                                                                                                                                                                                                            • getenv.MSVCR100 ref: 6F822FD1
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(00000002), ref: 6F822FFF
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,00000000,00000001), ref: 6F823010
                                                                                                                                                                                                            • mprMapSeparators.LIBMPR(00000000,00000000), ref: 6F823026
                                                                                                                                                                                                            • gettimeofday.LIBMPR(?,00000000), ref: 6F823035
                                                                                                                                                                                                            • _getpid.MSVCR100(?,00000001), ref: 6F82308D
                                                                                                                                                                                                            • sfmt.LIBMPR(%s/MPR_%d_%d_%d.tmp,00000000,00000000), ref: 6F823096
                                                                                                                                                                                                            • mprOpenFile.LIBMPR(00000000,00008500,000001B4,%s/MPR_%d_%d_%d.tmp,00000000,00000000), ref: 6F8230A8
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFastmemcpy$FileOpenSeparators_getpidgetenvgettimeofdaysclonesfmt
                                                                                                                                                                                                            • String ID: %s/MPR_%d_%d_%d.tmp$TEMP
                                                                                                                                                                                                            • API String ID: 2676215584-4031281781
                                                                                                                                                                                                            • Opcode ID: 672d5debe9ac9d8af30ea42869acf4bcbca8a824e78a214c73820c0eae1d2b59
                                                                                                                                                                                                            • Instruction ID: 6e0f18e9863e934a445c07a6ee946b1ce92a24ef45b9b3a5549e2906e21b95d9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 672d5debe9ac9d8af30ea42869acf4bcbca8a824e78a214c73820c0eae1d2b59
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C73125B2A043026BD714DA68EC41BAB73D8DB95314F048DB5EC04CF395EA39E95AC7E1
                                                                                                                                                                                                            Function 6F8365A0 Relevance: 18.3, APIs: 12, Instructions: 261stringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateLockSpinstokstrchrstrpbrk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1019329176-0
                                                                                                                                                                                                            • Opcode ID: 5adf5b243943d114b2cda1a20d9fca6a09e63c5374845c59478cd21d3ea72ccf
                                                                                                                                                                                                            • Instruction ID: cbc966501b3cf583e7755c3ac4629e976beee0b46ffb314b153d39bac7e490c1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5adf5b243943d114b2cda1a20d9fca6a09e63c5374845c59478cd21d3ea72ccf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE811273D082254BD704CFAC8880E9ABBE49B47254F444EE9D8949F221E731F918CBD1
                                                                                                                                                                                                            Function 6F827E60 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 190COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprGetTicks.LIBMPR(?,?,?,?,?,?,?,?,?,?,6F82809C,?,00000000), ref: 6F827E83
                                                                                                                                                                                                            • TryEnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6F82809C,?,00000000), ref: 6F827EB4
                                                                                                                                                                                                            • mprGetNextKey.LIBMPR(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,6F82809C,?), ref: 6F827ECE
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000003,Cache prune expired key %s,?), ref: 6F827F11
                                                                                                                                                                                                            • mprGetNextKey.LIBMPR(?,00000000), ref: 6F827F24
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000003,Cache too big, execess keys %Ld, mem %Ld, prune key %s,?,?,?), ref: 6F827FF1
                                                                                                                                                                                                            • mprRemoveEvent.LIBMPR(?,?,?,?,?,?,?,?,?,?,6F82809C,?,00000000), ref: 6F828065
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6F82809C,?,00000000), ref: 6F82807C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Cache too big, execess keys %Ld, mem %Ld, prune key %s, xrefs: 6F827FEA
                                                                                                                                                                                                            • Cache prune expired key %s, xrefs: 6F827F0A
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalNextProcSectionTrace$EnterEventLeaveRemoveTicks
                                                                                                                                                                                                            • String ID: Cache prune expired key %s$Cache too big, execess keys %Ld, mem %Ld, prune key %s
                                                                                                                                                                                                            • API String ID: 837705600-3574963290
                                                                                                                                                                                                            • Opcode ID: bddc7dabf9abc0af713c9c2f0a12cf3048a550a2b7fc1a562e5aeefdbfca5b93
                                                                                                                                                                                                            • Instruction ID: 4d4f0f42b236ea9c0ad5421331d1cbac8ef7cd6cd517355bd7a10e6e844dfb56
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bddc7dabf9abc0af713c9c2f0a12cf3048a550a2b7fc1a562e5aeefdbfca5b93
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 76619171A087029BDB14CF69C880A1A73E1AF85714F248EEEE8558F289D735FD85CBD1
                                                                                                                                                                                                            Function 6F823DF8 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 151COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F823E87
                                                                                                                                                                                                            • memmove.MSVCR100(?,?,?,?,?,0000000A,00000000), ref: 6F823EC2
                                                                                                                                                                                                            • _putenv.MSVCR100 ref: 6F823FCD
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_putenvmemmove
                                                                                                                                                                                                            • String ID: %a %b %d %H:%M:%S %Z %Y$-%b-%Y$0123456789ABCDEF$TZ=
                                                                                                                                                                                                            • API String ID: 1335054924-94458410
                                                                                                                                                                                                            • Opcode ID: a12b1de2ae68534c4b06aa8430c82b22a5b09c87fee73ba9a989138a68ff84bc
                                                                                                                                                                                                            • Instruction ID: ef3b291732c6bc6934faf06056b227f078680dbe6ae7c0e660c093bc2098b18f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a12b1de2ae68534c4b06aa8430c82b22a5b09c87fee73ba9a989138a68ff84bc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7051067A508B859FD724CF68C46479ABBE1AF86300F044EDDE8858B351E730E888C7D2
                                                                                                                                                                                                            Function 6F827750 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,6F829368,?,00000000), ref: 6F827777
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6F829368,?,00000000), ref: 6F827802
                                                                                                                                                                                                            • mprRemoveItem.LIBMPR(?,00000000,?,?,?,?,?,6F829368,?,00000000), ref: 6F827825
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6F829368,?,00000000), ref: 6F827840
                                                                                                                                                                                                            • mprWakePendingDispatchers.LIBMPR(?,?,?,?,?,6F829368,?,00000000), ref: 6F827846
                                                                                                                                                                                                            • mprSignalCond.LIBMPR(?,?,?,?,?,?,6F829368,?,00000000), ref: 6F827853
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000004,Pruned %d workers, pool has %d workers. Limits %d-%d.,00000000,?,?,00000004,?,?,?,?,6F829368,?,00000000), ref: 6F82789D
                                                                                                                                                                                                            • mprRemoveEvent.LIBMPR(?,?,?,6F829368,?,00000000), ref: 6F8278BA
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,6F829368,?,00000000), ref: 6F8278D2
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Pruned %d workers, pool has %d workers. Limits %d-%d., xrefs: 6F827896
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeaveRemove$CondDispatchersEventItemPendingProcSignalTraceWake
                                                                                                                                                                                                            • String ID: Pruned %d workers, pool has %d workers. Limits %d-%d.
                                                                                                                                                                                                            • API String ID: 4237097107-3424832850
                                                                                                                                                                                                            • Opcode ID: 5f4f3f38850e77e14edf1787ef29ed2ce514d339010df4851b333d858d27b08c
                                                                                                                                                                                                            • Instruction ID: 1c55f81e1d202105ed32b830c4e9f1db2f4a2919854f7474a642e6f43d42a1d8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5f4f3f38850e77e14edf1787ef29ed2ce514d339010df4851b333d858d27b08c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08415BB5B04A06AFD718CF6AC484A1ABBE5BF45314F108E9AD8198BA51D730F8D4CBD4
                                                                                                                                                                                                            Function 6F822E70 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 53COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • sfmt.LIBMPR(%s.%d,?,?,%s.%d,?,?), ref: 6F822E99
                                                                                                                                                                                                            • _unlink.MSVCR100(00000000,%s.%d,?,?,%s.%d,?,?), ref: 6F822EA1
                                                                                                                                                                                                            • rename.MSVCR100 ref: 6F822EA9
                                                                                                                                                                                                            • sfmt.LIBMPR(%s.%d,?,?), ref: 6F822E8B
                                                                                                                                                                                                              • Part of subcall function 6F820FC0: mprPrintfCore.LIBMPR(00000000,000000FF,?,?), ref: 6F820FDB
                                                                                                                                                                                                            • sfmt.LIBMPR(6F83BC1C,?), ref: 6F822EBF
                                                                                                                                                                                                            • sfmt.LIBMPR(%s.0,?,6F83BC1C,?), ref: 6F822ECC
                                                                                                                                                                                                            • _unlink.MSVCR100(00000000,%s.0,?,6F83BC1C,?), ref: 6F822ED4
                                                                                                                                                                                                            • rename.MSVCR100 ref: 6F822EDC
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: sfmt$_unlinkrename$CorePrintf
                                                                                                                                                                                                            • String ID: %s.%d$%s.0
                                                                                                                                                                                                            • API String ID: 1788051516-3104329120
                                                                                                                                                                                                            • Opcode ID: 220c7c18e3e59f1de78656e0f85d69defa494c88f7d02eb07cac696683aa5ba3
                                                                                                                                                                                                            • Instruction ID: 4fbc0b62b81e3fbfaed8a4f516f4dbb0f756ccaf2a700a97a24c8849d58d7813
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 220c7c18e3e59f1de78656e0f85d69defa494c88f7d02eb07cac696683aa5ba3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C01F777805A213B5B3056A94C49D9F36DCED462A47050DD4FC059F290DB26AD4383F2
                                                                                                                                                                                                            Function 6F823D19 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 139memorystringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F823D88
                                                                                                                                                                                                            • memmove.MSVCR100(?,?,?,?,?,0000000A,00000000), ref: 6F823DC3
                                                                                                                                                                                                            • _putenv.MSVCR100 ref: 6F823FCD
                                                                                                                                                                                                            • strftime.MSVCR100 ref: 6F823FE6
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(?), ref: 6F824014
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,?,?), ref: 6F82402C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFastUnothrow_t@std@@@__ehfuncinfo$??2@_putenvmemcpymemmovestrftime
                                                                                                                                                                                                            • String ID: %a %b %d %H:%M:%S %Z %Y$0123456789ABCDEF$TZ=
                                                                                                                                                                                                            • API String ID: 3375014169-3700123410
                                                                                                                                                                                                            • Opcode ID: adf34e24825c0ff2bc8c4d315be03005e1ca310c1ab53529a3b09cd336faab39
                                                                                                                                                                                                            • Instruction ID: 15932efdf0c51c9e23fd059ddf1793756bfc0a478f31294b39756b7734ee7fd5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: adf34e24825c0ff2bc8c4d315be03005e1ca310c1ab53529a3b09cd336faab39
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0041067690C7919BD3248AA8985579ABBE1AF86300F040DDDEC858B255EB74A888C7D2
                                                                                                                                                                                                            Function 6F82E5F0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprPutBlockToBuf.LIBMPR(?,null,00000004,?,6F8315F1,?), ref: 6F82E610
                                                                                                                                                                                                              • Part of subcall function 6F812920: mprGrowBuf.LIBMPR(?,?), ref: 6F812954
                                                                                                                                                                                                              • Part of subcall function 6F812920: memcpy.MSVCR100(?,?,?), ref: 6F812971
                                                                                                                                                                                                            • mprPutToBuf.LIBMPR(?,"/%s/",?,?,6F8315F1,?), ref: 6F82E626
                                                                                                                                                                                                            • mprGrowBuf.LIBMPR(?,00000001,?,6F8315F1,?,?,?,?,?,6F831683,00000000), ref: 6F82E64C
                                                                                                                                                                                                            • mprGrowBuf.LIBMPR(?,00000001,?,?,6F8315F1,?,?,?,?,?,6F831683,00000000), ref: 6F82E68D
                                                                                                                                                                                                            • mprGrowBuf.LIBMPR(?,00000001,?,?,6F8315F1,?,?,?,?,?,6F831683,00000000), ref: 6F82E6BF
                                                                                                                                                                                                            • mprGrowBuf.LIBMPR(?,00000001,?,6F8315F1,?,?,?,?,?,6F831683,00000000), ref: 6F82E6F6
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Grow$Blockmemcpy
                                                                                                                                                                                                            • String ID: "/%s/"$null
                                                                                                                                                                                                            • API String ID: 3865851121-2731002343
                                                                                                                                                                                                            • Opcode ID: 1a57a29b9b4f16b3cb7aeeac2b0b7ce914612099c8e7019ea99f222cf9ba8be3
                                                                                                                                                                                                            • Instruction ID: 6788d6ff6c21e546e1ea5d6aca0e7662a8ed3988e92eee117b0116e76f9fa733
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a57a29b9b4f16b3cb7aeeac2b0b7ce914612099c8e7019ea99f222cf9ba8be3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D6418E70604B419FD321CA3CD990F46BBE5BF52314F048D99D8AA8FA51D325F4C2CBAA
                                                                                                                                                                                                            Function 6F814750 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 119memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(00000001), ref: 6F81479A
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFast
                                                                                                                                                                                                            • String ID: &#35;$&#39;$&#40;$&#41;$&amp;$&gt;$&lt;$&quot;
                                                                                                                                                                                                            • API String ID: 1737628027-3158893792
                                                                                                                                                                                                            • Opcode ID: a613e39fef2ee9d92028fab278727a2a9bd43642d5efef0f78b932939edc64f7
                                                                                                                                                                                                            • Instruction ID: 31a3c4591b63dc289063b3dbb336f191a5447f0316962108657b67f4b5156167
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a613e39fef2ee9d92028fab278727a2a9bd43642d5efef0f78b932939edc64f7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8417F7510EA87C7CB15CF68D5906907BB2BF97328B598BDACC440F366E227544AC381
                                                                                                                                                                                                            Function 6F823F0F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 111memorystringtimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprGetTimeZoneOffset.LIBMPR(00000000), ref: 6F823F1B
                                                                                                                                                                                                              • Part of subcall function 6F8216B0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F8216DD
                                                                                                                                                                                                              • Part of subcall function 6F8216B0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F821734
                                                                                                                                                                                                              • Part of subcall function 6F8216B0: _localtime64.MSVCR100 ref: 6F82174C
                                                                                                                                                                                                              • Part of subcall function 6F8216B0: _time64.MSVCR100 ref: 6F821756
                                                                                                                                                                                                              • Part of subcall function 6F8216B0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F821776
                                                                                                                                                                                                              • Part of subcall function 6F8216B0: _localtime64.MSVCR100 ref: 6F821788
                                                                                                                                                                                                              • Part of subcall function 6F8216B0: GetTimeZoneInformation.KERNEL32(?,?,000003E8,00000000), ref: 6F8217A3
                                                                                                                                                                                                            • fmt.LIBMPR(?,?,%s%02d%02d,6F83BC04), ref: 6F823F72
                                                                                                                                                                                                            • _putenv.MSVCR100 ref: 6F823FCD
                                                                                                                                                                                                            • strftime.MSVCR100 ref: 6F823FE6
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(?), ref: 6F824014
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,?,?), ref: 6F82402C
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$TimeZone_localtime64$AllocFastInformationOffset_putenv_time64memcpystrftime
                                                                                                                                                                                                            • String ID: %a %b %d %H:%M:%S %Z %Y$%s%02d%02d$TZ=
                                                                                                                                                                                                            • API String ID: 3311336416-4290763159
                                                                                                                                                                                                            • Opcode ID: ce5394ea8ee91f1d1fd6d4b938c1cbc66b4bc72c77f4ef63d68172f227c32a32
                                                                                                                                                                                                            • Instruction ID: 0f54997c689fbe7725e5e861cec5b07cd75a35beb2b108abba403e0694888a15
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ce5394ea8ee91f1d1fd6d4b938c1cbc66b4bc72c77f4ef63d68172f227c32a32
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA316872A086455BD72C8A689C14BEF7AE65FC1300F084EA8E849DF345EA35B94483D1
                                                                                                                                                                                                            Function 6F827D10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F827D5E
                                                                                                                                                                                                            • mprYield.LIBMPR(00000002,7FFFFFFF,00000000,000003E8,00000000), ref: 6F827DBB
                                                                                                                                                                                                            • select.WS2_32(?,?,?,00000000,?), ref: 6F827DDA
                                                                                                                                                                                                            • mprResetYield.LIBMPR ref: 6F827DE2
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 6F827DEB
                                                                                                                                                                                                            • mprError.LIBMPR(Select returned %d, errno %d,00000000,00000000), ref: 6F827E04
                                                                                                                                                                                                            • __WSAFDIsSet.WS2_32(?,?), ref: 6F827E16
                                                                                                                                                                                                            • __WSAFDIsSet.WS2_32(?,?), ref: 6F827E2D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Select returned %d, errno %d, xrefs: 6F827DFF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorYield$LastResetUnothrow_t@std@@@__ehfuncinfo$??2@select
                                                                                                                                                                                                            • String ID: Select returned %d, errno %d
                                                                                                                                                                                                            • API String ID: 536040513-3447022823
                                                                                                                                                                                                            • Opcode ID: a60d7b7dbcf6dcdaf5cd04356b65b68f7ad183fb26af59a6ae8d704a8f012149
                                                                                                                                                                                                            • Instruction ID: 10a718c0c6742b33c8e508f3a7a505553107fd025dcb6d7fb676d58733705c7d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a60d7b7dbcf6dcdaf5cd04356b65b68f7ad183fb26af59a6ae8d704a8f012149
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73312B769043406BD724DF69C845AEFB6D8ABC5710F004EAEE859CF190DB34A944C7E2
                                                                                                                                                                                                            Function 6F82AF50 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000002,Service thread started), ref: 6F82AF62
                                                                                                                                                                                                              • Part of subcall function 6F826F20: mprPrintfCore.LIBMPR(?,00002000,?,?), ref: 6F826F52
                                                                                                                                                                                                            • mprGetCurrentThread.LIBMPR ref: 6F82AF80
                                                                                                                                                                                                            • mprCreateWindow.LIBMPR(?), ref: 6F82AF8E
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82AFB8
                                                                                                                                                                                                            • SetEvent.KERNEL32(00000000), ref: 6F82AFCF
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82AFDD
                                                                                                                                                                                                            • mprServiceEvents.LIBMPR(000000FF,000000FF,00000000), ref: 6F82AFE9
                                                                                                                                                                                                            • mprScheduleDispatcher.LIBMPR(?), ref: 6F82B008
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$CoreCreateCurrentDispatcherEnterEventEventsLeavePrintfProcScheduleServiceThreadTraceWindow
                                                                                                                                                                                                            • String ID: Service thread started
                                                                                                                                                                                                            • API String ID: 416440883-2842766315
                                                                                                                                                                                                            • Opcode ID: c7a08304434a27588fe9a1ab719c7755ebdb5cc776ce617bb1af6e9ba70d00c7
                                                                                                                                                                                                            • Instruction ID: 29c232ead1a7b0a85bfc87a5674a8fdfd4b9f0058b88d9d2a5bf2019e8cafcc1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7a08304434a27588fe9a1ab719c7755ebdb5cc776ce617bb1af6e9ba70d00c7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3721D5B6A04B21AFCB14DF14D844B46B3E46F05B24F158ED9E819AF2A1D734F984CBD1
                                                                                                                                                                                                            Function 6F836F10 Relevance: 15.4, APIs: 2, Strings: 8, Instructions: 412COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Missing closing element name for "%s", xrefs: 6F8372BD
                                                                                                                                                                                                            • !--, xrefs: 6F8371DE, 6F83720C
                                                                                                                                                                                                            • Closing element name "%s" does not match on line %d. Opening name "%s", xrefs: 6F837311
                                                                                                                                                                                                            • Syntax error, xrefs: 6F8371A6
                                                                                                                                                                                                            • Missing element name, xrefs: 6F83729D
                                                                                                                                                                                                            • Missing assignment for attribute "%s", xrefs: 6F83723E
                                                                                                                                                                                                            • XML token is too big, xrefs: 6F837187
                                                                                                                                                                                                            • Missing value for attribute "%s", xrefs: 6F837259
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: !--$Closing element name "%s" does not match on line %d. Opening name "%s"$Missing assignment for attribute "%s"$Missing closing element name for "%s"$Missing element name$Missing value for attribute "%s"$Syntax error$XML token is too big
                                                                                                                                                                                                            • API String ID: 0-811401538
                                                                                                                                                                                                            • Opcode ID: 7ef3d941dfb1cff2deb686af5b42b48d056c09639111655a231c20225d03df90
                                                                                                                                                                                                            • Instruction ID: c11c4e312f43eb37ced73098b08180b45e113be811e44bba83f2ff0dbaff4d23
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ef3d941dfb1cff2deb686af5b42b48d056c09639111655a231c20225d03df90
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EAB13A77E48324A7D6005AACAC80F5E7394EF82724F940DA5FD54CE3E1E726E50982E6
                                                                                                                                                                                                            Function 6F834EE0 Relevance: 15.2, APIs: 10, Instructions: 161COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(00000000,?,?,-00000002,00000001,?,6F836C32,?), ref: 6F834F09
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00000000,?,?,-00000002,00000001,?,6F836C32,?), ref: 6F834F2E
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(00000000,?,?,-00000002,00000001,?,6F836C32,?), ref: 6F834F69
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00000000,?,?,-00000002,00000001,?,6F836C32,?), ref: 6F834F8B
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00000000,?,?,-00000002,00000001,?,6F836C32,?), ref: 6F834F9D
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00000000,?,?,-00000002,00000001,?,6F836C32,?), ref: 6F834FAD
                                                                                                                                                                                                            • mprGetNextItem.LIBMPR(?,?,?,?,-00000002,00000001,?,6F836C32,?), ref: 6F83501B
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(00000000), ref: 6F835070
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00000000), ref: 6F83508A
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(00000000), ref: 6F8350A4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter$ItemNext
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 433691312-0
                                                                                                                                                                                                            • Opcode ID: 5622c355bb2a3097f1c2762317d1776ea8e08b6ebe8ad8ca64f5bcd38acad736
                                                                                                                                                                                                            • Instruction ID: b7a263f735c68ad649288a8ee39c5b224e675dbdd7ffef19a7a3ceaa7692ee1b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5622c355bb2a3097f1c2762317d1776ea8e08b6ebe8ad8ca64f5bcd38acad736
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CA51C732908B529BDB18CEA8C494716B7B1BFC1210F190D89E8654F6A1D772F895CBE1
                                                                                                                                                                                                            Function 6F81BC40 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • __aulldvrm.LIBCMT ref: 6F81BC78
                                                                                                                                                                                                            • __aulldvrm.LIBCMT ref: 6F81BCDD
                                                                                                                                                                                                            • __aulldvrm.LIBCMT ref: 6F81BD30
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(?,?,?,?,?), ref: 6F81BE94
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,00000000,?), ref: 6F81BEAB
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(?,?,?,?,?), ref: 6F81BF37
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,00000000,?), ref: 6F81BF4E
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: __aulldvrm$AllocFastmemcpy
                                                                                                                                                                                                            • String ID: VUUU
                                                                                                                                                                                                            • API String ID: 3236365011-2040033107
                                                                                                                                                                                                            • Opcode ID: 18ab80a962d875df06c65db7e3cb31514344bdbe33005bb36ad87d713ec3c1e7
                                                                                                                                                                                                            • Instruction ID: 0268993f24fa7c033107eb796363c948f75f17ea64b33e0a585dc061a50068e3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18ab80a962d875df06c65db7e3cb31514344bdbe33005bb36ad87d713ec3c1e7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56C1AD7160874A8FD729CE29C590B5BB7E6AF85304F048FADE8968F741EB34E805CB51
                                                                                                                                                                                                            Function 6F82CEE0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 111stringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: strspn$CreateHashstokstrpbrk
                                                                                                                                                                                                            • String ID: ,
                                                                                                                                                                                                            • API String ID: 3921055132-3920508318
                                                                                                                                                                                                            • Opcode ID: ac0bbedee06e50f5aea7cfbf91e7a6702ac347cc92ff4c2d6b1dabb322b14680
                                                                                                                                                                                                            • Instruction ID: 66c4fc1074225efc4137f966268133b2e3e6c1b74cce7ade2445aca4706afe90
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ac0bbedee06e50f5aea7cfbf91e7a6702ac347cc92ff4c2d6b1dabb322b14680
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE310873A057256BD3018658AC40BBBB7D8DF83275F140EA6FC449F242F7A5FA4882E5
                                                                                                                                                                                                            Function 6F8216B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F8216DD
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F821734
                                                                                                                                                                                                            • _localtime64.MSVCR100 ref: 6F82174C
                                                                                                                                                                                                            • _time64.MSVCR100 ref: 6F821756
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F821776
                                                                                                                                                                                                            • _localtime64.MSVCR100 ref: 6F821788
                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,?,000003E8,00000000), ref: 6F8217A3
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$_localtime64$InformationTimeZone_time64
                                                                                                                                                                                                            • String ID: o
                                                                                                                                                                                                            • API String ID: 1571913215-252678980
                                                                                                                                                                                                            • Opcode ID: d869145bc28d5d47d8c637f2668188b0c837d1616416176fb2cb02ce63d8814f
                                                                                                                                                                                                            • Instruction ID: f6c0789d31453904427d5a570c7ca201fac1435a149ad841c2864c8a8f176e14
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d869145bc28d5d47d8c637f2668188b0c837d1616416176fb2cb02ce63d8814f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F531C372904740ABE720CB68CC41B5F73E9AFC4714F104E9AF4599B2D0DB35E544CB92
                                                                                                                                                                                                            Function 6F8286A0 Relevance: 13.6, APIs: 9, Instructions: 111synchronizationpipeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F8286A3
                                                                                                                                                                                                              • Part of subcall function 6F818F20: GetTickCount.KERNEL32 ref: 6F818F35
                                                                                                                                                                                                              • Part of subcall function 6F818F20: InitializeCriticalSectionAndSpinCount.KERNEL32(6F8438A4,000005DC), ref: 6F818F50
                                                                                                                                                                                                              • Part of subcall function 6F818F20: EnterCriticalSection.KERNEL32(6F8438A4), ref: 6F818F64
                                                                                                                                                                                                              • Part of subcall function 6F818F20: GetTickCount.KERNEL32 ref: 6F818F6A
                                                                                                                                                                                                              • Part of subcall function 6F818F20: LeaveCriticalSection.KERNEL32(6F8438A4), ref: 6F818FB7
                                                                                                                                                                                                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 6F8286F0
                                                                                                                                                                                                            • mprQueueIOEvent.LIBMPR ref: 6F82870F
                                                                                                                                                                                                            • mprQueueIOEvent.LIBMPR(?), ref: 6F82873A
                                                                                                                                                                                                            • mprYield.LIBMPR(00000002), ref: 6F828777
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 6F828787
                                                                                                                                                                                                            • mprResetYield.LIBMPR ref: 6F82878D
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F828792
                                                                                                                                                                                                            • mprResetYield.LIBMPR ref: 6F8287CC
                                                                                                                                                                                                              • Part of subcall function 6F827AB0: mprGetCurrentThread.LIBMPR ref: 6F827ABD
                                                                                                                                                                                                              • Part of subcall function 6F827AB0: mprError.LIBMPR(Yield called from an unknown thread), ref: 6F827ACD
                                                                                                                                                                                                              • Part of subcall function 6F826BD0: GetExitCodeProcess.KERNEL32(?,?), ref: 6F826BEC
                                                                                                                                                                                                              • Part of subcall function 6F826BD0: CloseHandle.KERNEL32(?,?,?,6F826E94,?,?,?,6F826ECE,?,00000000), ref: 6F826C12
                                                                                                                                                                                                              • Part of subcall function 6F826BD0: CloseHandle.KERNEL32(?,?,6F826E94,?,?,?,6F826ECE,?,00000000), ref: 6F826C1B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountCriticalSectionYield$CloseEventHandleQueueResetTickTicks$CodeCurrentEnterErrorExitInitializeLeaveNamedObjectPeekPipeProcessSingleSpinThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 548240172-0
                                                                                                                                                                                                            • Opcode ID: c76851d81a98cfb854221c77e0f5d2753b83b6404cc3e42d7485823a8372f619
                                                                                                                                                                                                            • Instruction ID: a6a12c28a8495cae7832eb35906acaa806bace690596cd6e3673f465f1589930
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c76851d81a98cfb854221c77e0f5d2753b83b6404cc3e42d7485823a8372f619
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7641C371648712AFEB08DF24C845B5BB7E4BF80754F004EAAE8558B550E730F594CBE2
                                                                                                                                                                                                            Function 6F823470 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102filestringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • strchr.MSVCR100 ref: 6F823477
                                                                                                                                                                                                            • atoi.MSVCR100(00000001), ref: 6F823488
                                                                                                                                                                                                            • mprOpenFile.LIBMPR(?,00004301,000001B4), ref: 6F823565
                                                                                                                                                                                                            • mprEprintf.LIBMPR(Cannot open log file %s,?), ref: 6F82357D
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EprintfFileOpenatoistrchr
                                                                                                                                                                                                            • String ID: Cannot open log file %s$stderr$stdout
                                                                                                                                                                                                            • API String ID: 2689364700-1436576749
                                                                                                                                                                                                            • Opcode ID: 9577bd19221095b4c8ad6c7ece475769348809a6c49920a987381649e683a1dc
                                                                                                                                                                                                            • Instruction ID: b7b3c68a8f60d0d9b651e8a7650f33b1a5c291c3a432a939720d0b21eea60c96
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9577bd19221095b4c8ad6c7ece475769348809a6c49920a987381649e683a1dc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E631A5716041405BDB0A8F3499E3AA277B69F16624B084EE5DC49CF252D722FD99C7D0
                                                                                                                                                                                                            Function 6F82FC90 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • memset.MSVCR100 ref: 6F82FCE5
                                                                                                                                                                                                            • mprCreateCond.LIBMPR ref: 6F82FD19
                                                                                                                                                                                                            • mprCreateList.LIBMPR(000000FF,00000000), ref: 6F82FD29
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 6F82FD3E
                                                                                                                                                                                                            • mprCreateThread.LIBMPR(main,00000000), ref: 6F82FD6A
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 6F82FD83
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateThread$Current$CondListmemset
                                                                                                                                                                                                            • String ID: main
                                                                                                                                                                                                            • API String ID: 173652438-3207122276
                                                                                                                                                                                                            • Opcode ID: a89f229d82f78bd8ec55d1ef97befc40e1598f6fe26836b989c538f7c91a517b
                                                                                                                                                                                                            • Instruction ID: 2c2b59d34e49ef74a76f5ccf876ae1137d9388d7a1e365c3327d173343e9bbcd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a89f229d82f78bd8ec55d1ef97befc40e1598f6fe26836b989c538f7c91a517b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC21E4B1B046125BE7188B28EC15B57B7E0AF61324F148EA9E9558F2D1E774F485CBC0
                                                                                                                                                                                                            Function 6F837DB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • memset.MSVCR100 ref: 6F837E05
                                                                                                                                                                                                            • mprCreateList.LIBMPR(000000FF,00000000), ref: 6F837E3E
                                                                                                                                                                                                            • mprCreateSpinLock.LIBMPR ref: 6F837E48
                                                                                                                                                                                                            • mprGetAppDir.LIBMPR(6F83CA48,C:/Program Files/RDM Appweb/bin,00000000), ref: 6F837E73
                                                                                                                                                                                                            • mprGetAppDir.LIBMPR(6F83CA48,00000000,6F83CA48,C:/Program Files/RDM Appweb/bin,00000000), ref: 6F837E7E
                                                                                                                                                                                                            • sjoin.LIBMPR(00000000,6F83CA48,00000000,6F83CA48,C:/Program Files/RDM Appweb/bin,00000000), ref: 6F837E84
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • C:/Program Files/RDM Appweb/bin, xrefs: 6F837E69
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Create$ListLockSpinmemsetsjoin
                                                                                                                                                                                                            • String ID: C:/Program Files/RDM Appweb/bin
                                                                                                                                                                                                            • API String ID: 3185242918-3501384537
                                                                                                                                                                                                            • Opcode ID: 7a07fe3824d6b8c576618f98e2746df6a23676695948a0587b2aa254d1366a16
                                                                                                                                                                                                            • Instruction ID: ed74ed4ace53efccfbe7e8c1c99edf0f63f7b8212ce45e71feccdd0e38bbb4ca
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a07fe3824d6b8c576618f98e2746df6a23676695948a0587b2aa254d1366a16
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08210AB3E082656BEB04CBACDC05B5A77909F52714F448EE9E9409F2E1E734E805C7D0
                                                                                                                                                                                                            Function 6F823CE8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62memorystringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFast_putenvmemcpystrftime
                                                                                                                                                                                                            • String ID: %a %b %d %H:%M:%S %Z %Y$H:%M:%S$TZ=
                                                                                                                                                                                                            • API String ID: 267161455-3694597381
                                                                                                                                                                                                            • Opcode ID: d3f7fa68e19872d5c2b0561acb2b9d62d871c1b2013ab96279e09b629ae9858d
                                                                                                                                                                                                            • Instruction ID: 1676fcbfccc0db2b8dc6a0020ee1999109bfdaf904eb6e12b1ebde377c44519e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d3f7fa68e19872d5c2b0561acb2b9d62d871c1b2013ab96279e09b629ae9858d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE1102738086909BD734CB689804BDE7BE0BF85310F044E9AD8499B241D735A948C7E2
                                                                                                                                                                                                            Function 6F823B91 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62memorystringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFast_putenvmemcpystrftime
                                                                                                                                                                                                            • String ID: %a %b %d %H:%M:%S %Z %Y$H:%M$TZ=
                                                                                                                                                                                                            • API String ID: 267161455-843693239
                                                                                                                                                                                                            • Opcode ID: 0e6f87e5a2929051dc2b92d54af0701d1a68454b66e6a711a053f27d9d09ce04
                                                                                                                                                                                                            • Instruction ID: aa9ab6fb483254a393430066a24c50e1cf3c8a443e98f54d25af5c2475b948a2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0e6f87e5a2929051dc2b92d54af0701d1a68454b66e6a711a053f27d9d09ce04
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8611E4738097949BD735CB6898047DF7BE06F86300F044EDAD8899B241D735B948C7E2
                                                                                                                                                                                                            Function 6F82F7C0 Relevance: 12.2, APIs: 8, Instructions: 177COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • memcpy.MSVCR100(00000008,?,?,?), ref: 6F82F849
                                                                                                                                                                                                            • sjoin.LIBMPR(00000008,6F83C79C,?,00000000,?), ref: 6F82F86D
                                                                                                                                                                                                            • memcpy.MSVCR100(00000008,00000008,00000009,?,?), ref: 6F82F8C1
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?), ref: 6F82F8ED
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?), ref: 6F82F90B
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?), ref: 6F82F938
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?), ref: 6F82F952
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?), ref: 6F82F96E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Entermemcpy$sjoin
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 327486428-0
                                                                                                                                                                                                            • Opcode ID: 97fe18b9dec5181c6d96efd005c8933cb8d8ae2823074be47dee16c4e4578805
                                                                                                                                                                                                            • Instruction ID: 89d74fbe3cdd5753e09aec95f74502f05b7640b23ccbe40465b6329a9bada32d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 97fe18b9dec5181c6d96efd005c8933cb8d8ae2823074be47dee16c4e4578805
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 705111B6B00B15ABDB158B28C888B56B3E4EF51714F040EE9EC519F355E720F985C7D0
                                                                                                                                                                                                            Function 6F81FE80 Relevance: 12.1, APIs: 8, Instructions: 144memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFastmemcpy$ItemTicksmemsetsclone
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3486054326-0
                                                                                                                                                                                                            • Opcode ID: f784ae4a2506a1310cd2343d4c1ecde31b60fd62cc2a7684fd8b072527ea9122
                                                                                                                                                                                                            • Instruction ID: be73ade1413b774d2e28160570be6abae59b6a1314e9fe985766e250e9f955e9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f784ae4a2506a1310cd2343d4c1ecde31b60fd62cc2a7684fd8b072527ea9122
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1941E3B2A0C7075BD305CA28D840B57BBE5AF96204F088FA6E858CF356FB75E408C790
                                                                                                                                                                                                            Function 6F81A510 Relevance: 12.1, APIs: 8, Instructions: 100synchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F81A52B
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81A561
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81A56F
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32 ref: 6F81A57D
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81A593
                                                                                                                                                                                                            • ResetEvent.KERNEL32 ref: 6F81A5A0
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F81A5CB
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81A605
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeaveTicks$EventObjectResetSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1199745191-0
                                                                                                                                                                                                            • Opcode ID: d92a92109b935ce3aed8b44adf9ef23efdede470d11667d900e0a12736e29063
                                                                                                                                                                                                            • Instruction ID: 6bc31e59d4d0db12eef1721c683b390f78af7b2a20aedefed8566df8d3aceff4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d92a92109b935ce3aed8b44adf9ef23efdede470d11667d900e0a12736e29063
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A31AA72A0C7139FDB14CEA8DD4465AB7A5BF46724F014B99E8599F240D770EC08C7D1
                                                                                                                                                                                                            Function 6F821580 Relevance: 12.1, APIs: 8, Instructions: 89COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F8215A5
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F8215D6
                                                                                                                                                                                                            • mprRemoveItem.LIBMPR(00000000,?), ref: 6F8215F5
                                                                                                                                                                                                            • mprAddItem.LIBMPR(00000000,?), ref: 6F82160C
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F821620
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F821630
                                                                                                                                                                                                            • mprSignalCond.LIBMPR(?), ref: 6F82163E
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82165A
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$EnterItem$CondRemoveSignal
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2627179098-0
                                                                                                                                                                                                            • Opcode ID: 2ba63ae3cedb280d8375bddd1f6c48f6e43ac73945f0802e8af82f8f0de55f60
                                                                                                                                                                                                            • Instruction ID: bad99e49076bd879598d786e79307c02d8e013550f58b6615642db871875f61a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ba63ae3cedb280d8375bddd1f6c48f6e43ac73945f0802e8af82f8f0de55f60
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F218175A00F069BDB148E65CD84E5AB7E8BF05710B144DE9E855DF610E736F880CBE0
                                                                                                                                                                                                            Function 6F833DE0 Relevance: 10.8, APIs: 7, Instructions: 344stringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprNormalizePath.LIBMPR(?), ref: 6F833E27
                                                                                                                                                                                                              • Part of subcall function 6F8323A0: strpbrk.MSVCR100 ref: 6F83241F
                                                                                                                                                                                                              • Part of subcall function 6F8323A0: slen.LIBMPR(00000008), ref: 6F8324B6
                                                                                                                                                                                                              • Part of subcall function 6F8164D0: strpbrk.MSVCR100 ref: 6F8164E6
                                                                                                                                                                                                              • Part of subcall function 6F8164D0: strchr.MSVCR100 ref: 6F8164F8
                                                                                                                                                                                                            • strpbrk.MSVCR100 ref: 6F833E63
                                                                                                                                                                                                            • mprGetAbsPath.LIBMPR(?), ref: 6F833E8D
                                                                                                                                                                                                            • _getcwd.MSVCR100 ref: 6F833EA3
                                                                                                                                                                                                            • mprGetAbsPath.LIBMPR(00000000), ref: 6F833EC8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Pathstrpbrk$Normalize_getcwdslenstrchr
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3355736632-0
                                                                                                                                                                                                            • Opcode ID: 1df97ab1902640acb10ecb991634de04ac8c351ea4b2ffe0df02a1e28310bd09
                                                                                                                                                                                                            • Instruction ID: 830495f9f7f60c97abbc834407a4f3fbe8a9ba8fe4bd866f26838cfed3a4187e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1df97ab1902640acb10ecb991634de04ac8c351ea4b2ffe0df02a1e28310bd09
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0C10636A0C3914BDB058F6884613AABBE1BF86308F584DD9D8D54F362D727E84AC7D1
                                                                                                                                                                                                            Function 6F817C10 Relevance: 10.7, APIs: 7, Instructions: 169COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: tolower$isdigitisspace
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2744156036-0
                                                                                                                                                                                                            • Opcode ID: b21eaff50a6c24374063442e85725bf32231b4d6736d585b60b9173c0a63130f
                                                                                                                                                                                                            • Instruction ID: 314845bb0671a5b6ca552f4e7aea4dbba07447bd7151b2505ab3db4592b20e1e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b21eaff50a6c24374063442e85725bf32231b4d6736d585b60b9173c0a63130f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B85106B160C35A4BDB24DE38DC4036E77E59F82214F140EAEE8E6CF241D676E549C7A2
                                                                                                                                                                                                            Function 6F82D710 Relevance: 10.6, APIs: 7, Instructions: 145COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82D734
                                                                                                                                                                                                            • itos.LIBMPR(?), ref: 6F82D7C1
                                                                                                                                                                                                            • getaddrinfo.WS2_32 ref: 6F82D7DD
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82D7F7
                                                                                                                                                                                                            • memmove.MSVCR100(00000000,?,?,?), ref: 6F82D85A
                                                                                                                                                                                                            • freeaddrinfo.WS2_32(?,?), ref: 6F82D883
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F82D899
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enterfreeaddrinfogetaddrinfoitosmemmove
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 310140190-0
                                                                                                                                                                                                            • Opcode ID: 4ba348ad7bf9395b17db0a99965f2734bf926ce80035198467fa7b63cf2fc486
                                                                                                                                                                                                            • Instruction ID: a394f091ea6f00fb59a84f93f494a96297f948ed829c5daae3d111e89ccb15c7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4ba348ad7bf9395b17db0a99965f2734bf926ce80035198467fa7b63cf2fc486
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9510C76A087019FD718CF79C844A5ABBE6AF85714F008D9EE895CB350E734E984CBD2
                                                                                                                                                                                                            Function 6F81E6F0 Relevance: 10.6, APIs: 7, Instructions: 131sleepmemoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: _open$AllocErrorFastLastSleepmemcpymemset
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2828874800-0
                                                                                                                                                                                                            • Opcode ID: 1d09f11e8fe0a8ee509d0ea45da878f72c79f70a681b155c1ad22e5c680b195d
                                                                                                                                                                                                            • Instruction ID: dde7b9a05fefa93741f14ae3b8619ac8c33de9c4bc9d4b42a186d85024363183
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1d09f11e8fe0a8ee509d0ea45da878f72c79f70a681b155c1ad22e5c680b195d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D841D3B2A083065BE715CB68DC85B57B7E4EF85314F044EA9E8858F600E729F50DC7A2
                                                                                                                                                                                                            Function 6F82FF30 Relevance: 10.6, APIs: 7, Instructions: 117registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 6F81D810: strchr.MSVCR100 ref: 6F81D868
                                                                                                                                                                                                              • Part of subcall function 6F81D810: scaselesscmp.LIBMPR(?,HKEY_LOCAL_MACHINE,?,0000005C), ref: 6F81D896
                                                                                                                                                                                                              • Part of subcall function 6F81D810: scaselesscmp.LIBMPR(?,HKLM,?,?,?,0000005C), ref: 6F81D8AF
                                                                                                                                                                                                              • Part of subcall function 6F81D810: scaselesscmp.LIBMPR(00000000,HKEY_CURRENT_USER,?,?,?,?,?,0000005C), ref: 6F81D8C4
                                                                                                                                                                                                              • Part of subcall function 6F81D810: scaselesscmp.LIBMPR(?,HKCU,?,?,?,?,?,?,?,0000005C), ref: 6F81D8D9
                                                                                                                                                                                                              • Part of subcall function 6F81D810: scaselesscmp.LIBMPR(?,HKEY_USERS,?,?,?,?,?,?,?,?,?,0000005C), ref: 6F81D8EE
                                                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00020019,?), ref: 6F82FF85
                                                                                                                                                                                                            • mprCreateList.LIBMPR(00000000,00000000), ref: 6F82FF93
                                                                                                                                                                                                            • RegEnumValueA.ADVAPI32 ref: 6F82FFBB
                                                                                                                                                                                                            • mprAddItem.LIBMPR(00000000,00000008,00000000), ref: 6F830022
                                                                                                                                                                                                            • RegEnumValueA.ADVAPI32 ref: 6F83004B
                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 6F83005E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: scaselesscmp$EnumValue$CloseCreateItemListOpenstrchr
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1840297790-0
                                                                                                                                                                                                            • Opcode ID: c1ec1ff78c121c53195fd328c6ae8c7d3de28647cc36a19ee2c9361fe1726fe1
                                                                                                                                                                                                            • Instruction ID: 607682d2a22d367b634c8ff974f05dc2ac3f177595eb589cf64d54bf11a233f4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c1ec1ff78c121c53195fd328c6ae8c7d3de28647cc36a19ee2c9361fe1726fe1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB3184B2608305AFE710CB64CC45FABB3ECEF85748F004D69F5559B190EA74E90886E6
                                                                                                                                                                                                            Function 6F835DD0 Relevance: 10.6, APIs: 7, Instructions: 105stringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprNormalizePath.LIBMPR(?), ref: 6F835DD7
                                                                                                                                                                                                              • Part of subcall function 6F8323A0: strpbrk.MSVCR100 ref: 6F83241F
                                                                                                                                                                                                              • Part of subcall function 6F8323A0: slen.LIBMPR(00000008), ref: 6F8324B6
                                                                                                                                                                                                            • memcpy.MSVCR100(00000008,?,?), ref: 6F835E4B
                                                                                                                                                                                                            • stok.LIBMPR ref: 6F835E6B
                                                                                                                                                                                                            • mprJoinPath.LIBMPR(00000000,?,6F83CA48,?), ref: 6F835E8C
                                                                                                                                                                                                            • strspn.MSVCR100 ref: 6F835EA9
                                                                                                                                                                                                            • strpbrk.MSVCR100 ref: 6F835EBC
                                                                                                                                                                                                            • strspn.MSVCR100 ref: 6F835ED5
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Pathstrpbrkstrspn$JoinNormalizememcpyslenstok
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2246686763-0
                                                                                                                                                                                                            • Opcode ID: e7e6ff9f719f9ef707035ae0807282605f1c7b779da9af84a3a4519f3edeed5d
                                                                                                                                                                                                            • Instruction ID: fbf0bba83af7077a2398ce496475018e57deade9a588410e4cc1a675b94924e1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7e6ff9f719f9ef707035ae0807282605f1c7b779da9af84a3a4519f3edeed5d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9931CFB3E043326BD305CAE8AD44B9B77989F42245F040DA9EC44DF261E725EA0487E1
                                                                                                                                                                                                            Function 6F831F20 Relevance: 10.6, APIs: 7, Instructions: 104COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprCreateBuf.LIBMPR(00000000,00000000), ref: 6F831F35
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F831F66
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F831F88
                                                                                                                                                                                                            • mprPutBlockToBuf.LIBMPR(00000000), ref: 6F831FA3
                                                                                                                                                                                                            • mprPutBlockToBuf.LIBMPR(00000000,?,?), ref: 6F831FC0
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F831FD2
                                                                                                                                                                                                            • mprGrowBuf.LIBMPR(00000000,00000001), ref: 6F832009
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$BlockLeave$CreateEnterGrow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2196048174-0
                                                                                                                                                                                                            • Opcode ID: 315db4f8d9cde2a91b676e2544964c1e6952d69214e542b166040604db0b326c
                                                                                                                                                                                                            • Instruction ID: 23f37c0ecbb9e3fa0acae34c1524f0718437441594db9175d975396550abb5c5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 315db4f8d9cde2a91b676e2544964c1e6952d69214e542b166040604db0b326c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1031A172E04B16ABD705CEA8C894F26BBA5EF42B44F108E95E818CF265D735F814CBD1
                                                                                                                                                                                                            Function 6F81DC80 Relevance: 10.6, APIs: 7, Instructions: 103COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprGetTicks.LIBMPR(00000006,00000000), ref: 6F81DCA7
                                                                                                                                                                                                              • Part of subcall function 6F818F20: GetTickCount.KERNEL32 ref: 6F818F35
                                                                                                                                                                                                              • Part of subcall function 6F818F20: InitializeCriticalSectionAndSpinCount.KERNEL32(6F8438A4,000005DC), ref: 6F818F50
                                                                                                                                                                                                              • Part of subcall function 6F818F20: EnterCriticalSection.KERNEL32(6F8438A4), ref: 6F818F64
                                                                                                                                                                                                              • Part of subcall function 6F818F20: GetTickCount.KERNEL32 ref: 6F818F6A
                                                                                                                                                                                                              • Part of subcall function 6F818F20: LeaveCriticalSection.KERNEL32(6F8438A4), ref: 6F818FB7
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81DCD9
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,00000006,00000000), ref: 6F81DD37
                                                                                                                                                                                                            • mprGetTicks.LIBMPR(00000006,00000000), ref: 6F81DD4E
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81DD6A
                                                                                                                                                                                                            • mprWaitForCond.LIBMPR(?,00000014,00000000,00000006,00000000), ref: 6F81DD81
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F81DD89
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$CountLeaveTicks$EnterTick$CondInitializeSpinWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 4154715635-0
                                                                                                                                                                                                            • Opcode ID: 439a5dc2953782ef4c59f8f07cd2e81ddafa676b6bb456bec1c9a9281870ef65
                                                                                                                                                                                                            • Instruction ID: 59e8133c2ea8c920a7d686d21139d92e199bb0bb2fa383db648d6014f292f576
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 439a5dc2953782ef4c59f8f07cd2e81ddafa676b6bb456bec1c9a9281870ef65
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D631A1B270870B9BEB18DE28C844B5677A6BB41714F114EE9D815CF281D771E85ACBE0
                                                                                                                                                                                                            Function 6F82DFC0 Relevance: 10.6, APIs: 7, Instructions: 101COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprGrowBuf.LIBMPR(?,00001000), ref: 6F82DFFE
                                                                                                                                                                                                            • mprCloseCmdFd.LIBMPR(?,?), ref: 6F82E00C
                                                                                                                                                                                                            • mprReadCmd.LIBMPR(?,?,?,?), ref: 6F82E025
                                                                                                                                                                                                              • Part of subcall function 6F812CD0: PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 6F812CF0
                                                                                                                                                                                                              • Part of subcall function 6F812CD0: _read.MSVCR100 ref: 6F812D12
                                                                                                                                                                                                            • mprGetError.LIBMPR ref: 6F82E02F
                                                                                                                                                                                                            • mprCloseCmdFd.LIBMPR(?,?), ref: 6F82E04A
                                                                                                                                                                                                            • mprGrowBuf.LIBMPR(?,00000001), ref: 6F82E07D
                                                                                                                                                                                                            • mprWaitOn.LIBMPR(?,?), ref: 6F82E0A9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseGrow$ErrorNamedPeekPipeReadWait_read
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1717420865-0
                                                                                                                                                                                                            • Opcode ID: ccba8a46b11915fb350669b468477abae4c9aaf0510458ccd2af416c97e62053
                                                                                                                                                                                                            • Instruction ID: a7e6013a4f7ab70573914b1a82dc22399fd7dee371ebb280e4d047fda76bfdad
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ccba8a46b11915fb350669b468477abae4c9aaf0510458ccd2af416c97e62053
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82319F756007049FDB24CF39D880E1A77E8FF41365F008CAAE959CF641E721F8818BA9
                                                                                                                                                                                                            Function 6F81CFE0 Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81D007
                                                                                                                                                                                                            • mprRemoveItem.LIBMPR(?,00000000,?,?,?,6F82A825), ref: 6F81D02D
                                                                                                                                                                                                            • mprAddItem.LIBMPR(00000000,00000000,?,?,?,6F82A825), ref: 6F81D059
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,6F82A825), ref: 6F81D071
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,6F82A825), ref: 6F81D087
                                                                                                                                                                                                            • mprWakePendingDispatchers.LIBMPR(?,?,?,6F82A825), ref: 6F81D091
                                                                                                                                                                                                            • mprSignalCond.LIBMPR(?,?), ref: 6F81D0A1
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$ItemLeave$CondDispatchersEnterPendingRemoveSignalWake
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 497666225-0
                                                                                                                                                                                                            • Opcode ID: cdab0e4e503c9d723d9bd443a42b51db31b0e64f1cb2019e359f3083072aeb52
                                                                                                                                                                                                            • Instruction ID: dddc4e153e34e86f0b54b72e71b9475a575fec6980d959152d143c8e57140e5a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cdab0e4e503c9d723d9bd443a42b51db31b0e64f1cb2019e359f3083072aeb52
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9D21F47790DA17ABDE28DE68E848B9BB3A5AF01710F004F8ED8558F600D721F441C7E0
                                                                                                                                                                                                            Function 6F837C40 Relevance: 10.6, APIs: 7, Instructions: 80threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 6F837C6D
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 6F837C87
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 6F837CA1
                                                                                                                                                                                                            • mprScheduleDispatcher.LIBMPR(?), ref: 6F837CC2
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F837CEB
                                                                                                                                                                                                            • mprShutdown.LIBMPR(00000000,00000000,00000000,00000000), ref: 6F837D02
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F837D12
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CurrentThread$CriticalSection$DispatcherEnterLeaveScheduleShutdown
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2071689746-0
                                                                                                                                                                                                            • Opcode ID: b07b0b3a74100a91d729c15275820b09a697d9af5a71c7e753c39defdeb79a25
                                                                                                                                                                                                            • Instruction ID: 53e574079ce6358d99f1af652722598134f537c6260cdc864bdb90c10f826f8c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b07b0b3a74100a91d729c15275820b09a697d9af5a71c7e753c39defdeb79a25
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A421D072A08722DFDB249E98C840B5AB3E0AF04715F104ED9E4465F6A0D730F842CBE5
                                                                                                                                                                                                            Function 6F81CF20 Relevance: 10.6, APIs: 7, Instructions: 79threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81CF42
                                                                                                                                                                                                            • mprGetCurrentThread.LIBMPR ref: 6F81CF48
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81CF69
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81CF92
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81CFAD
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81CFC3
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81CFD1
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter$CurrentThread
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1614919063-0
                                                                                                                                                                                                            • Opcode ID: 1e9a18c1ea25233d1015e4c36f617b682189f150cded7477f7ea1ffb7341f06b
                                                                                                                                                                                                            • Instruction ID: 4e181dd861e2aea2650d0356335eb7aad2c45c83a1a1a4bf49fa57ac97f09ff4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e9a18c1ea25233d1015e4c36f617b682189f150cded7477f7ea1ffb7341f06b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63218E76708B479BDF24CE64D844ADA77A4AF46A21B014FEAF911DF652C770F804C7A0
                                                                                                                                                                                                            Function 6F827690 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprOpenFile.LIBMPR(?,00008301,?), ref: 6F8276D0
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot open %s,?), ref: 6F8276E4
                                                                                                                                                                                                            • mprWriteFile.LIBMPR(00000000,?,?), ref: 6F8276F7
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot write %s,?), ref: 6F827709
                                                                                                                                                                                                              • Part of subcall function 6F827010: mprPrintfCore.LIBMPR(?,00002000,?,?,6F825F72,Cannot open log file %s,?), ref: 6F827042
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorFile$CoreOpenPrintfWrite
                                                                                                                                                                                                            • String ID: Cannot open %s$Cannot write %s
                                                                                                                                                                                                            • API String ID: 748526641-3218205261
                                                                                                                                                                                                            • Opcode ID: f8528666c365008777a8b3b614eb7da83c78c5821e7c5b367c4cbeb84af49c88
                                                                                                                                                                                                            • Instruction ID: 47fb7cd5e9db4ec4f0a5ce4a0ccc5034cd13221d340f2e2976ec22f1388635a9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f8528666c365008777a8b3b614eb7da83c78c5821e7c5b367c4cbeb84af49c88
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 57112673A045146BC601DA6EAC80D9F73E9DFC6364B154AE6EC448F311DB22FC0A86E2
                                                                                                                                                                                                            Function 6F823D01 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58memorystringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFast_putenvmemcpystrftime
                                                                                                                                                                                                            • String ID: %a %b %d %H:%M:%S %Z %Y$TZ=
                                                                                                                                                                                                            • API String ID: 267161455-943992507
                                                                                                                                                                                                            • Opcode ID: 79add305b7ec9d47a02373422a09babeb4bbcdb129e68c9bf017e1005432b13f
                                                                                                                                                                                                            • Instruction ID: 88d03b23d5152467ef7ca046f3fe8257efff2b0af3772a6d9efa524a41a9d938
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 79add305b7ec9d47a02373422a09babeb4bbcdb129e68c9bf017e1005432b13f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF11E6738087919BD735876498047DF7BE46FC5300F044EDAD8895B245DB75B58883E2
                                                                                                                                                                                                            Function 6F82AEF0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprStartModuleService.LIBMPR ref: 6F82AEF1
                                                                                                                                                                                                              • Part of subcall function 6F81B8D0: EnterCriticalSection.KERNEL32(?), ref: 6F81B908
                                                                                                                                                                                                              • Part of subcall function 6F81B8D0: LeaveCriticalSection.KERNEL32(?), ref: 6F81B923
                                                                                                                                                                                                              • Part of subcall function 6F81B8D0: LeaveCriticalSection.KERNEL32(?), ref: 6F81B950
                                                                                                                                                                                                            • mprSetMinWorkers.LIBMPR(?), ref: 6F82AF07
                                                                                                                                                                                                              • Part of subcall function 6F82A4F0: EnterCriticalSection.KERNEL32(?), ref: 6F82A50F
                                                                                                                                                                                                              • Part of subcall function 6F82A4F0: EnterCriticalSection.KERNEL32(?), ref: 6F82A575
                                                                                                                                                                                                              • Part of subcall function 6F82A4F0: EnterCriticalSection.KERNEL32(?), ref: 6F82A5A7
                                                                                                                                                                                                              • Part of subcall function 6F82A4F0: mprLookupItem.LIBMPR(?,00000000), ref: 6F82A5AF
                                                                                                                                                                                                              • Part of subcall function 6F82A4F0: mprRemoveItemAtPos.LIBMPR(?,00000000), ref: 6F82A5BD
                                                                                                                                                                                                              • Part of subcall function 6F82A4F0: LeaveCriticalSection.KERNEL32(?), ref: 6F82A5CD
                                                                                                                                                                                                              • Part of subcall function 6F82A4F0: mprAddItem.LIBMPR(?,00000000), ref: 6F82A5E2
                                                                                                                                                                                                              • Part of subcall function 6F82A4F0: LeaveCriticalSection.KERNEL32(?), ref: 6F82A643
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot start MPR services), ref: 6F82AF19
                                                                                                                                                                                                              • Part of subcall function 6F827010: mprPrintfCore.LIBMPR(?,00002000,?,?,6F825F72,Cannot open log file %s,?), ref: 6F827042
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(00000003,MPR services are ready), ref: 6F82AF43
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • MPR services are ready, xrefs: 6F82AF3C
                                                                                                                                                                                                            • Cannot start MPR services, xrefs: 6F82AF14
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$Item$CoreErrorLookupModulePrintfProcRemoveServiceStartTraceWorkers
                                                                                                                                                                                                            • String ID: Cannot start MPR services$MPR services are ready
                                                                                                                                                                                                            • API String ID: 2274173592-1008306016
                                                                                                                                                                                                            • Opcode ID: 2d4fab8480af636d68fe1bfa3085c74d3ef6db18e1cba5d3743f545824f699c3
                                                                                                                                                                                                            • Instruction ID: bde19bdda7c0d2fb89b932382bc057449321ac68baa340838a2c86398eef4c15
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d4fab8480af636d68fe1bfa3085c74d3ef6db18e1cba5d3743f545824f699c3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8BE0E5B6E006207BCB00E7289806B1532D06B5561CF144EE5D9049F3A6E730FA48D6C1
                                                                                                                                                                                                            Function 6F834620 Relevance: 9.2, APIs: 6, Instructions: 173COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 6F816530: strpbrk.MSVCR100 ref: 6F81653C
                                                                                                                                                                                                              • Part of subcall function 6F816530: strchr.MSVCR100 ref: 6F816547
                                                                                                                                                                                                            • mprGetAbsPath.LIBMPR(?), ref: 6F834644
                                                                                                                                                                                                              • Part of subcall function 6F833AC0: mprNormalizePath.LIBMPR(6F83C79C), ref: 6F833B02
                                                                                                                                                                                                              • Part of subcall function 6F833AC0: mprMapSeparators.LIBMPR(00000000,?,6F83C79C), ref: 6F833B11
                                                                                                                                                                                                            • mprNormalizePath.LIBMPR(?), ref: 6F83464B
                                                                                                                                                                                                            • mprGetAbsPath.LIBMPR(?), ref: 6F834665
                                                                                                                                                                                                            • mprNormalizePath.LIBMPR(?), ref: 6F83466C
                                                                                                                                                                                                              • Part of subcall function 6F8323A0: strpbrk.MSVCR100 ref: 6F83241F
                                                                                                                                                                                                              • Part of subcall function 6F8323A0: slen.LIBMPR(00000008), ref: 6F8324B6
                                                                                                                                                                                                            • tolower.MSVCR100 ref: 6F834735
                                                                                                                                                                                                            • tolower.MSVCR100 ref: 6F83473F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Path$Normalize$strpbrktolower$Separatorsslenstrchr
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 654894045-0
                                                                                                                                                                                                            • Opcode ID: c8b104889290a6401e4879305017deca1eb8f349424fb3adb5f562afb2efa4bf
                                                                                                                                                                                                            • Instruction ID: e9aa1b7c0f6e6d4bf79a76f65d3d44bca65c66155a46b5337ce3bd91332ff9d3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c8b104889290a6401e4879305017deca1eb8f349424fb3adb5f562afb2efa4bf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B41D82790D2F95ADF098EB468902F57F627F87168F2C08DAD8D54F252D313A45AC7D0
                                                                                                                                                                                                            Function 6F82EBA0 Relevance: 9.1, APIs: 6, Instructions: 144stringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: memcpysclonestrpbrk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2977372922-0
                                                                                                                                                                                                            • Opcode ID: 13699a2bb7b97e2f2833d7d7c1ff85341ae4d7502b25299e6c10f956ee41edf2
                                                                                                                                                                                                            • Instruction ID: 72321302945bb255fe1207ebaed76a7079e86a66d626028287ba9afa46f672e5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 13699a2bb7b97e2f2833d7d7c1ff85341ae4d7502b25299e6c10f956ee41edf2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C34138B3B186125BD7058AFDA88469A73E8EF81366F080CF6ED41CF201E710F89883D4
                                                                                                                                                                                                            Function 6F824CE0 Relevance: 9.1, APIs: 6, Instructions: 124memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F824D16
                                                                                                                                                                                                            • mprAllocMem.LIBMPR(00000038,00000003), ref: 6F824D43
                                                                                                                                                                                                            • stoiradix.LIBMPR(?,0000000A,00000000), ref: 6F824D82
                                                                                                                                                                                                            • itos.LIBMPR(?,?), ref: 6F824DBE
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F824DE8
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F824E0C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$AllocEnterLeaveTicksitosstoiradix
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2963402353-0
                                                                                                                                                                                                            • Opcode ID: 1f5f95219f03e263b4672fc0c9f52769f1197bc464dc8fedb01bba5ecb0e54c2
                                                                                                                                                                                                            • Instruction ID: f7ed236613b9417fdf5e5b642492844869feff7649b184dde5a0efb60d2e26a1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1f5f95219f03e263b4672fc0c9f52769f1197bc464dc8fedb01bba5ecb0e54c2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7418F756047029BD714CE28D844B56B7F4BFC4754F548EA9E8898F742EB30F9488BE1
                                                                                                                                                                                                            Function 6F8224A0 Relevance: 9.1, APIs: 6, Instructions: 118threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 6F8224B0
                                                                                                                                                                                                            • mprGetNextEvent.LIBMPR(?), ref: 6F8224C0
                                                                                                                                                                                                              • Part of subcall function 6F81EF80: EnterCriticalSection.KERNEL32(?), ref: 6F81EF9E
                                                                                                                                                                                                              • Part of subcall function 6F81EF80: LeaveCriticalSection.KERNEL32(?), ref: 6F81F006
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F822502
                                                                                                                                                                                                            • mprQueueEvent.LIBMPR(?,00000000), ref: 6F82255D
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F822590
                                                                                                                                                                                                            • mprGetNextEvent.LIBMPR(?), ref: 6F82259B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Event$EnterLeaveNext$CurrentQueueThread
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 726065260-0
                                                                                                                                                                                                            • Opcode ID: 5bf2a71fb68496f3ac8a28b2fca388ae6836237b417c6e8e66e55ffea29da346
                                                                                                                                                                                                            • Instruction ID: d30420b316ea3ee3828a25a185b8ff42bf3fbef9459abdc5ccbc94f5211841b3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5bf2a71fb68496f3ac8a28b2fca388ae6836237b417c6e8e66e55ffea29da346
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8414C75A157019FD764CF29D980956B7E0FF48310B809E6EE89A87B00D339F894CB91
                                                                                                                                                                                                            Function 6F825750 Relevance: 9.1, APIs: 6, Instructions: 107memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Create$EventQueue$AllocCondFastmemcpymemset
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1993025318-0
                                                                                                                                                                                                            • Opcode ID: 83a43370c830677e33a6b4e110f8f4d9633ce47544a44aa4dcd23bb7d4f38b3d
                                                                                                                                                                                                            • Instruction ID: 5e4c49d4f0d027bfc15431c929cda546a0031c25367d56f807051871ae0e3656
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83a43370c830677e33a6b4e110f8f4d9633ce47544a44aa4dcd23bb7d4f38b3d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B231E2B2A443069FE709CF2CD850A5BB7E4AF91318F148EA9E885CF255E724F4498BD1
                                                                                                                                                                                                            Function 6F82F690 Relevance: 9.1, APIs: 6, Instructions: 106COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • memset.MSVCR100 ref: 6F82F6EF
                                                                                                                                                                                                            • mprCreateList.LIBMPR ref: 6F82F742
                                                                                                                                                                                                            • mprCreateList.LIBMPR(000000FF,00000000), ref: 6F82F74E
                                                                                                                                                                                                            • mprCreateList.LIBMPR(000000FF,00000000,000000FF,00000000), ref: 6F82F75A
                                                                                                                                                                                                            • gettimeofday.LIBMPR(?,00000000,000000FF,00000000,000000FF,00000000), ref: 6F82F769
                                                                                                                                                                                                            • mprCreateSpinLock.LIBMPR(?,?,000003E8,00000000,?,?,?,?,?,?,000000FF,00000000), ref: 6F82F7A6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Create$List$LockSpingettimeofdaymemset
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3407186005-0
                                                                                                                                                                                                            • Opcode ID: 92482883781a47e4d9615ea1cbbe66001ce9d353171bb00af46274581d8668c7
                                                                                                                                                                                                            • Instruction ID: eef8aa1503baf5061bda716d63a998aa91a81b24d2900d9615ad9947140e73fa
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 92482883781a47e4d9615ea1cbbe66001ce9d353171bb00af46274581d8668c7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E031FE71B043406BE7248B7DDC41B4AB6E5EF90724F184AAEE8858F6D0E664F448CB90
                                                                                                                                                                                                            Function 6F8196F0 Relevance: 9.1, APIs: 6, Instructions: 77windowCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F819711
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F819735
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81974F
                                                                                                                                                                                                            • PostMessageA.USER32(?,00000000,00000000,00000000), ref: 6F81979B
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F8197AD
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F8197BC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter$MessagePost
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1393311332-0
                                                                                                                                                                                                            • Opcode ID: c38ff40825d268ff35592f77fc69bbb4364f456c0b0111b4fee30685c39cc365
                                                                                                                                                                                                            • Instruction ID: 619fc67f7b272c23f1032fbf05a79e074dad83cbf42d39b66a1ea78720039850
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c38ff40825d268ff35592f77fc69bbb4364f456c0b0111b4fee30685c39cc365
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 62217C35604B029FDB28CF54C888B9677A5BF417A1F158EA9E8199F264C730F848CB90
                                                                                                                                                                                                            Function 6F82FD90 Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • memset.MSVCR100 ref: 6F82FDE5
                                                                                                                                                                                                            • mprCreateSpinLock.LIBMPR ref: 6F82FE19
                                                                                                                                                                                                            • mprCreateList.LIBMPR ref: 6F82FE33
                                                                                                                                                                                                            • mprSetListLimits.LIBMPR(00000000,?,000000FF), ref: 6F82FE42
                                                                                                                                                                                                            • mprCreateList.LIBMPR(00000000,00000000,00000000,?,000000FF), ref: 6F82FE4B
                                                                                                                                                                                                            • mprSetListLimits.LIBMPR(00000000,?,000000FF,00000000,00000000,00000000,?,000000FF), ref: 6F82FE59
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: List$Create$Limits$LockSpinmemset
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1208153340-0
                                                                                                                                                                                                            • Opcode ID: fe6faffa1b0b67ec68f571a93b1bc1940fe5397f29be0131c00512595481f7cd
                                                                                                                                                                                                            • Instruction ID: ab4e45903aab171848b80a4c10c35f5673cda3b801919f721b759a0b4d6673ff
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fe6faffa1b0b67ec68f571a93b1bc1940fe5397f29be0131c00512595481f7cd
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 222101B1A083016BE7198B38DC06B5BB6E09F51328F108E9CE9959F2D5E778B484C7C4
                                                                                                                                                                                                            Function 6F81CE30 Relevance: 9.0, APIs: 6, Instructions: 44threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 6F81CE32
                                                                                                                                                                                                            • _getpid.MSVCR100(?,?,6F82132A), ref: 6F81CE3A
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81CE71
                                                                                                                                                                                                            • mprLookupItem.LIBMPR(?,?), ref: 6F81CE79
                                                                                                                                                                                                            • mprRemoveItemAtPos.LIBMPR(?,00000000), ref: 6F81CE87
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81CE97
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalItemSection$CurrentEnterLeaveLookupRemoveThread_getpid
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1937444460-0
                                                                                                                                                                                                            • Opcode ID: 950a329b3267cebe894ee4a2b0e7c4fbca7528c6bffd4df051bc1a811fd57848
                                                                                                                                                                                                            • Instruction ID: 4450306e7412b545ec1d506d4372b7cba6c8e67fe9a0bf0c9192a23820f48429
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 950a329b3267cebe894ee4a2b0e7c4fbca7528c6bffd4df051bc1a811fd57848
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B4018F76604703AFCB24CFA4D8C886BB7B8BB462117000FBAE4469B211D734A455DBA1
                                                                                                                                                                                                            Function 6F8377F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprGetAppDir.LIBMPR(6F83CA48,C:/Program Files/RDM Appweb/bin,?), ref: 6F837810
                                                                                                                                                                                                              • Part of subcall function 6F835EF0: mprGetAppPath.LIBMPR ref: 6F835EFB
                                                                                                                                                                                                              • Part of subcall function 6F835EF0: mprGetPathDir.LIBMPR(00000000), ref: 6F835F01
                                                                                                                                                                                                            • mprGetAppDir.LIBMPR(6F83CA48,00000000,6F83CA48,C:/Program Files/RDM Appweb/bin,?), ref: 6F83781B
                                                                                                                                                                                                            • sjoin.LIBMPR(00000000,6F83CA48,00000000,6F83CA48,C:/Program Files/RDM Appweb/bin,?), ref: 6F837821
                                                                                                                                                                                                              • Part of subcall function 6F82F4E0: sjoinv.LIBMPR(?,?), ref: 6F82F4EA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • C:/Program Files/RDM Appweb/bin, xrefs: 6F837806
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Path$sjoinsjoinv
                                                                                                                                                                                                            • String ID: C:/Program Files/RDM Appweb/bin
                                                                                                                                                                                                            • API String ID: 1841184671-3501384537
                                                                                                                                                                                                            • Opcode ID: 355cbc1f7a4b5aa3ef7cdd59d3e80572132ad0e4e2fffe397a38c081b71432c1
                                                                                                                                                                                                            • Instruction ID: ce5fec29c9e5f76effc980d8bcffdc018c8ad7915748bab18e2125cbbdc66bf2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 355cbc1f7a4b5aa3ef7cdd59d3e80572132ad0e4e2fffe397a38c081b71432c1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B1108B3F05225BBD7009ADCAC40AABBB98DF51656B0449F6F804DF261EB21E900C3D4
                                                                                                                                                                                                            Function 6F831C80 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprPrintfCore.LIBMPR(00000000,000000FF,?,?), ref: 6F831C90
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(?,%s: %s,00000000,?), ref: 6F831CB9
                                                                                                                                                                                                              • Part of subcall function 6F826F20: mprPrintfCore.LIBMPR(?,00002000,?,?), ref: 6F826F52
                                                                                                                                                                                                            • mprCreateBuf.LIBMPR(00000000,00000000,?,00000000,00000001), ref: 6F831CCD
                                                                                                                                                                                                            • mprTraceProc.LIBMPR(?,%s: %s,00000000,00000000), ref: 6F831CE6
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CorePrintfProcTrace$Create
                                                                                                                                                                                                            • String ID: %s: %s
                                                                                                                                                                                                            • API String ID: 1421985458-3740598653
                                                                                                                                                                                                            • Opcode ID: 600ec0df81ee5b9dda7df2ef5f3afe2e4385a71c870be476aa40e2757bfddd68
                                                                                                                                                                                                            • Instruction ID: 577def3282fe7a54d70204917cdf12d9fce220cb3ebb4f49a9de913ca9aae1ac
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 600ec0df81ee5b9dda7df2ef5f3afe2e4385a71c870be476aa40e2757bfddd68
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3FF0C877E042203BE210A69CBC42FBB779CDB81728F104DD5F914AF2D6E660795682F1
                                                                                                                                                                                                            Function 6F82B570 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprCreateThread.LIBMPR(events,6F82AF50,00000000,00000000), ref: 6F82B57F
                                                                                                                                                                                                            • mprCreateCond.LIBMPR ref: 6F82B5AF
                                                                                                                                                                                                            • mprStartThread.LIBMPR(00000000), ref: 6F82B5C1
                                                                                                                                                                                                            • mprWaitForCond.LIBMPR(?,00002710,00000000), ref: 6F82B5EF
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CondCreateThread$StartWait
                                                                                                                                                                                                            • String ID: events
                                                                                                                                                                                                            • API String ID: 1800318595-1401378634
                                                                                                                                                                                                            • Opcode ID: 3b90527856422c161faf6c2b72f35f38e911dd4540e570d608cffabb52185cfb
                                                                                                                                                                                                            • Instruction ID: 8468511491a0b892a7eac958673d40cd60e2bff07d346379ddcf419fa24e7111
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b90527856422c161faf6c2b72f35f38e911dd4540e570d608cffabb52185cfb
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E101D670A086116BD358DB28DD46B9677D0AB41324F14CBE9E8188F3C2EA75FC95D7C1
                                                                                                                                                                                                            Function 6F8296A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • printf.MSVCR100 ref: 6F8296B1
                                                                                                                                                                                                            • printf.MSVCR100 ref: 6F8296B8
                                                                                                                                                                                                            • mprGC.LIBMPR(00000005), ref: 6F8296D6
                                                                                                                                                                                                              • Part of subcall function 6F8295B0: EnterCriticalSection.KERNEL32(?), ref: 6F82960B
                                                                                                                                                                                                              • Part of subcall function 6F8295B0: mprSignalCond.LIBMPR(?), ref: 6F82964C
                                                                                                                                                                                                              • Part of subcall function 6F8295B0: LeaveCriticalSection.KERNEL32(?), ref: 6F829662
                                                                                                                                                                                                              • Part of subcall function 6F8295B0: mprYield.LIBMPR(?), ref: 6F829674
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSectionprintf$CondEnterLeaveSignalYield
                                                                                                                                                                                                            • String ID: %s$-------------
                                                                                                                                                                                                            • API String ID: 3375464023-3213519511
                                                                                                                                                                                                            • Opcode ID: 5291f426268256e83e03ce6127ba9314b1e38bde064d2d41954c012f51f3ee8c
                                                                                                                                                                                                            • Instruction ID: 3401cecc566be9f52130f18eada70d6a5558abd6658792dfc5dfdbfcd771f1bf
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5291f426268256e83e03ce6127ba9314b1e38bde064d2d41954c012f51f3ee8c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 60E0C2769043226BD600ABE8AC40B8A7ED0AF46358F0509C9F8440B387D6715DE0CAD1
                                                                                                                                                                                                            Function 6F831D00 Relevance: 7.7, APIs: 5, Instructions: 205COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprCreateJson.LIBMPR(00000001), ref: 6F831D07
                                                                                                                                                                                                              • Part of subcall function 6F815320: memset.MSVCR100 ref: 6F815371
                                                                                                                                                                                                            • memcpy.MSVCR100(00000008,?,?), ref: 6F831DD9
                                                                                                                                                                                                            • memset.MSVCR100 ref: 6F831E49
                                                                                                                                                                                                            • mprLookupJsonObj.LIBMPR(00000000,?), ref: 6F831E9D
                                                                                                                                                                                                            • mprCreateBuf.LIBMPR(00000000,00000000,?,00000000,?), ref: 6F831F08
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateJsonmemset$Lookupmemcpy
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3295496219-0
                                                                                                                                                                                                            • Opcode ID: e07f0e5ca90f030d5b2acfa9600594559d88f943025619d33dadb8c144680507
                                                                                                                                                                                                            • Instruction ID: 8a16d107773bafd57d3080f31cbf4e331778bc34d9d1db40c01e7b3b6c7327c2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e07f0e5ca90f030d5b2acfa9600594559d88f943025619d33dadb8c144680507
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A961F6B2E04B269BE718CF98C840B56B7A5EF42B04F188EA9D8558F365E771F805C7D0
                                                                                                                                                                                                            Function 6F82F500 Relevance: 7.7, APIs: 5, Instructions: 152COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: isspace$Itemmemcpy
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1180261371-0
                                                                                                                                                                                                            • Opcode ID: 67cd9f6e24f5e4f8b901221b11afe0572fdefc455f77775e23cb4291b68a3425
                                                                                                                                                                                                            • Instruction ID: 0c6fcaca43b4d486bf1cdce95bded4761ea11859c5ccfbbcacfd091c87d4d097
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 67cd9f6e24f5e4f8b901221b11afe0572fdefc455f77775e23cb4291b68a3425
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B4177B17083595BC7098F2C9E4069A77E9AF62718F154FEAECA48F291E721F484C7D0
                                                                                                                                                                                                            Function 6F8184B0 Relevance: 7.6, APIs: 5, Instructions: 140COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprGetNextItem.LIBMPR(?,?,?,?,00000001,?,?,6F81CC68,?,?,?,00000001,6F836CF2,?,?,?), ref: 6F8184E0
                                                                                                                                                                                                            • sncaselesscmp.LIBMPR(?,00000000,00000000), ref: 6F818564
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81857E
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F8185A0
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$EnterItemLeaveNextsncaselesscmp
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2077902711-0
                                                                                                                                                                                                            • Opcode ID: 6573a2cc67588dd3afe422c2ce02446aac1a610cb89cc2cf5a99d869075be8b9
                                                                                                                                                                                                            • Instruction ID: fd06774e0301885216f79b983e17480942bb173e4e733159c81f9af6a6d6c87c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6573a2cc67588dd3afe422c2ce02446aac1a610cb89cc2cf5a99d869075be8b9
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F941917220C3179BDB05CF689C85AE777A5EB86361B244FE9EC55CF201EB21E4098690
                                                                                                                                                                                                            Function 6F81CCB0 Relevance: 7.6, APIs: 5, Instructions: 115memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFastmemcpy$memset
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1693033320-0
                                                                                                                                                                                                            • Opcode ID: 8c41466f2b64daf1b833062b9cff9a0c7844fde6df75ee98d336d947fcde8945
                                                                                                                                                                                                            • Instruction ID: b4d307e5f2acde43aff05ae3f7a8b1985d21fae027df0c7efc402f416b6ce581
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c41466f2b64daf1b833062b9cff9a0c7844fde6df75ee98d336d947fcde8945
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F313AB2B0C61F5BD309CA6C8854BD77BA59F83254F084BF9E9408F256F725E90883D0
                                                                                                                                                                                                            Function 6F81EB90 Relevance: 7.6, APIs: 5, Instructions: 99memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(?), ref: 6F81EBB7
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,?,?), ref: 6F81EBCC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFastmemcpy
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2273661864-0
                                                                                                                                                                                                            • Opcode ID: d58238786e1dc60c7b7e59b156afa51e435f0686c1e7406a9c4e526f91067d0c
                                                                                                                                                                                                            • Instruction ID: c08b8eb6d89d54813756ebfbd0fc7193100c76882ecb0ec47731a850ebcc359b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d58238786e1dc60c7b7e59b156afa51e435f0686c1e7406a9c4e526f91067d0c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C218F6250C39A5BD725CE6C9CC079B7BA59F96210F044FEAE8D24FB01E350F40583E1
                                                                                                                                                                                                            Function 6F825610 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6F825715,?), ref: 6F825640
                                                                                                                                                                                                            • mprRemoveEvent.LIBMPR(?,?,?,?,?,?,?,?,?,?,?,?,?,6F825715,?), ref: 6F82565E
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6F825715,?), ref: 6F825685
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6F825715,?), ref: 6F8256B9
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,6F825715,?), ref: 6F8256D6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$EventRemove
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1322679306-0
                                                                                                                                                                                                            • Opcode ID: dc0c020b0e2b3785daf342104e8654ed1c4fc5ce48021b1bfe78c9405466b4c0
                                                                                                                                                                                                            • Instruction ID: d24709536292d7f46372df3f706fbfaaf95ca321e7b5a7843f67bd0035eb1410
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dc0c020b0e2b3785daf342104e8654ed1c4fc5ce48021b1bfe78c9405466b4c0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E43158B16407018FEB28CE69D584A57B7F8BF44650B010D9EE852CF629D770F888CBE1
                                                                                                                                                                                                            Function 6F819E60 Relevance: 7.6, APIs: 5, Instructions: 86COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,6F826931,00000003), ref: 6F819E83
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,00000000,00000006,?,?,6F826931,00000003), ref: 6F819EF7
                                                                                                                                                                                                            • SetEvent.KERNEL32(?,00000000,00000006,?,?,6F826931,00000003), ref: 6F819F0E
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,00000000,00000006,?,?,6F826931,00000003), ref: 6F819F1C
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,6F826931,00000003), ref: 6F819F40
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$Event
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3097309470-0
                                                                                                                                                                                                            • Opcode ID: 51e6d6f26f5e050ba4db375ff2c7581e8fa86cdb6e161219ce1ce1b5bb0e248d
                                                                                                                                                                                                            • Instruction ID: 2164dac7cc27487364edf751ecf276c5d527c6eb1edf1450b0ffc7e195c0784b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51e6d6f26f5e050ba4db375ff2c7581e8fa86cdb6e161219ce1ce1b5bb0e248d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC316776A08243EFDB18DF89D8C499A77E5BF443107564EEAE5198F626C331F880CB91
                                                                                                                                                                                                            Function 6F824ED0 Relevance: 7.6, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F824EF2
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F824F1E
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F824F32
                                                                                                                                                                                                              • Part of subcall function 6F818F20: GetTickCount.KERNEL32 ref: 6F818F35
                                                                                                                                                                                                              • Part of subcall function 6F818F20: InitializeCriticalSectionAndSpinCount.KERNEL32(6F8438A4,000005DC), ref: 6F818F50
                                                                                                                                                                                                              • Part of subcall function 6F818F20: EnterCriticalSection.KERNEL32(6F8438A4), ref: 6F818F64
                                                                                                                                                                                                              • Part of subcall function 6F818F20: GetTickCount.KERNEL32 ref: 6F818F6A
                                                                                                                                                                                                              • Part of subcall function 6F818F20: LeaveCriticalSection.KERNEL32(6F8438A4), ref: 6F818FB7
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F824F69
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F824F90
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$CountLeave$EnterTickTicks$InitializeSpin
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1181584890-0
                                                                                                                                                                                                            • Opcode ID: abaef1db403d50a122095538745b33dc192b70c32a5054e860ef7ea96e4219a5
                                                                                                                                                                                                            • Instruction ID: 5859c17ebebdc2c91a6dc5d379fb471fd90789f288a96876ef8659e0e5c31ca3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: abaef1db403d50a122095538745b33dc192b70c32a5054e860ef7ea96e4219a5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00312F75604B029FE728CF29D540A56B7E5FFC8B11B15499EE85A8B751D730F840CBA0
                                                                                                                                                                                                            Function 6F8366C7 Relevance: 7.6, APIs: 5, Instructions: 79stringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: strpbrkstrspn$strchr
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 164667652-0
                                                                                                                                                                                                            • Opcode ID: ec1d888cfd21837007b04645a5c2bed2428f72299a33f6c650cdb1767973b605
                                                                                                                                                                                                            • Instruction ID: 3e46580a5a068f6e09a10c238b035cb91ee16133e129f286bfbe79d6d51595e0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ec1d888cfd21837007b04645a5c2bed2428f72299a33f6c650cdb1767973b605
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3421E077D046219BD715CB988C40FAABBE8AB8B650F040E99EC945B221E361F954C7E2
                                                                                                                                                                                                            Function 6F821C90 Relevance: 7.6, APIs: 5, Instructions: 71memorystringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprGetPathBase.LIBMPR(?), ref: 6F821C99
                                                                                                                                                                                                              • Part of subcall function 6F820000: mprAllocFast.LIBMPR(00000001), ref: 6F82000B
                                                                                                                                                                                                            • strrchr.MSVCR100 ref: 6F821CC0
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(?), ref: 6F821CF1
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,?,?), ref: 6F821D02
                                                                                                                                                                                                            • sclone.LIBMPR(?), ref: 6F821D26
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFast$BasePathmemcpysclonestrrchr
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1831013287-0
                                                                                                                                                                                                            • Opcode ID: 31d34230b5bd2075a6f2c55fe6e8716caaa6d92dbce7a9a817ad4db9628c9bbe
                                                                                                                                                                                                            • Instruction ID: 5d33cfc6eabb25e1f7652f33f6786a60e8d70f8d38b5f4ff913097dae566e4b6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31d34230b5bd2075a6f2c55fe6e8716caaa6d92dbce7a9a817ad4db9628c9bbe
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C2110671604A02ABE708CB7D8840B4773D96F81664F248AE5E814CF280EF32F855C7D0
                                                                                                                                                                                                            Function 6F81AE40 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 6F81AE7F
                                                                                                                                                                                                            • SetFilePointer.KERNEL32(00000000,?,00000000,00000000), ref: 6F81AE91
                                                                                                                                                                                                            • SetEndOfFile.KERNEL32(00000000), ref: 6F81AE9D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 6F81AEA8
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 6F81AEB3
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreatePointer
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3952902809-0
                                                                                                                                                                                                            • Opcode ID: e51bf77d3e958d8d59a199958a7c9816e1f1dc25e594ddf5447584545ac9c965
                                                                                                                                                                                                            • Instruction ID: 8e5c6ff95774bcf67f17cc1721b385772450273490468031a68af1eb410aec71
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e51bf77d3e958d8d59a199958a7c9816e1f1dc25e594ddf5447584545ac9c965
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0601A736605A11ABEE35AA24EC09FDB33585F46B30F104B85F925AF1D0C774BC45C6D4
                                                                                                                                                                                                            Function 6F818F20 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 6F818F35
                                                                                                                                                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(6F8438A4,000005DC), ref: 6F818F50
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(6F8438A4), ref: 6F818F64
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 6F818F6A
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(6F8438A4), ref: 6F818FB7
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountCriticalSection$Tick$EnterInitializeLeaveSpin
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 913726059-0
                                                                                                                                                                                                            • Opcode ID: 81caa7eda6d726cd6807bda2feb606abf165b34cf787925c1bbcfb3c0bcae767
                                                                                                                                                                                                            • Instruction ID: 4e066aae12dc1af7ea814caadd7a7b1466dd8bad4ce34d8a469ec039dd8144e7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 81caa7eda6d726cd6807bda2feb606abf165b34cf787925c1bbcfb3c0bcae767
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 99016132A1A9169BDF04EE65C80E6047FB2AB87230F1149D6D800EB340D7706C18EFD1
                                                                                                                                                                                                            Function 6F820538 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 297COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EscapeHtml
                                                                                                                                                                                                            • String ID: X$o$u
                                                                                                                                                                                                            • API String ID: 3798845104-1931322230
                                                                                                                                                                                                            • Opcode ID: 7133a950a1fff96b16fc98c7d76557a3c48ce649f778a30b8a376fb90578a80f
                                                                                                                                                                                                            • Instruction ID: 5a7182539d2ce402f14d3eab0c169224f268e7842b28df949033077b767363fb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7133a950a1fff96b16fc98c7d76557a3c48ce649f778a30b8a376fb90578a80f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8CA19175A083499FD304DA68C9A0A5BB7E0BF85308F045E99E8959F391E734F984CBD2
                                                                                                                                                                                                            Function 6F8274E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Glob match is too recursive, xrefs: 6F8275E1
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: tolower
                                                                                                                                                                                                            • String ID: Glob match is too recursive
                                                                                                                                                                                                            • API String ID: 3025214199-2740951505
                                                                                                                                                                                                            • Opcode ID: d1dabc59521fabf92353d8f5205cdb8ecaa0a6762c3f7c132560c6b4c09fc09a
                                                                                                                                                                                                            • Instruction ID: b6c23408ac6af141a3ea9cd87cb85a7443d5be413775cab951fa1d3ab102c00f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1dabc59521fabf92353d8f5205cdb8ecaa0a6762c3f7c132560c6b4c09fc09a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E251E6612082955BDB158F2A99507AEFBE2AF86314F544DDAE4D44F202C322F4C2C7E1
                                                                                                                                                                                                            Function 6F820EA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFast__alldvrmmemcpy
                                                                                                                                                                                                            • String ID: 0123456789ABCDEF
                                                                                                                                                                                                            • API String ID: 3745241628-2554083253
                                                                                                                                                                                                            • Opcode ID: 151fa297216dea0c74a2515cc1f478851f9cb25e5010b5137c3be138bf722a90
                                                                                                                                                                                                            • Instruction ID: ce6151334545735c5d20300fc5a1382e35ab73adef76c8fa78c1f90bb61f5ee6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 151fa297216dea0c74a2515cc1f478851f9cb25e5010b5137c3be138bf722a90
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8231A0B290DB519BC318CF58846066BFBE5AFC9300F045DAAE8848B390E774A944C7D2
                                                                                                                                                                                                            Function 6F8266C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprCreateDispatcher.LIBMPR(6F83BF24,00000008), ref: 6F8266D3
                                                                                                                                                                                                            • mprCreateEvent.LIBMPR(?,IOEvent,00000000,00000000,6F8196D0,?,00000004), ref: 6F826706
                                                                                                                                                                                                            • mprQueueEvent.LIBMPR(?,00000000,?,IOEvent,00000000,00000000,6F8196D0,?,00000004), ref: 6F826719
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateEvent$DispatcherQueue
                                                                                                                                                                                                            • String ID: IOEvent
                                                                                                                                                                                                            • API String ID: 527624965-2394719699
                                                                                                                                                                                                            • Opcode ID: 33b46fb45c0b347bf73c8677b824b78fce6ca0f3fbe895d89cc39ea230d76531
                                                                                                                                                                                                            • Instruction ID: d367e108fbc910bf2c9e73f026ed20b5bbf0f58481257635bd6a75e73e31de73
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33b46fb45c0b347bf73c8677b824b78fce6ca0f3fbe895d89cc39ea230d76531
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90F0CDB2948B00ABD220CF189801F02B7E4AB85B50F154E9DE9456F691D7B0F8808BE0
                                                                                                                                                                                                            Function 6F8347C0 Relevance: 6.1, APIs: 4, Instructions: 145COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 6F816530: strpbrk.MSVCR100 ref: 6F81653C
                                                                                                                                                                                                              • Part of subcall function 6F816530: strchr.MSVCR100 ref: 6F816547
                                                                                                                                                                                                            • mprGetAbsPath.LIBMPR(?), ref: 6F8347E6
                                                                                                                                                                                                              • Part of subcall function 6F833AC0: mprNormalizePath.LIBMPR(6F83C79C), ref: 6F833B02
                                                                                                                                                                                                              • Part of subcall function 6F833AC0: mprMapSeparators.LIBMPR(00000000,?,6F83C79C), ref: 6F833B11
                                                                                                                                                                                                            • mprGetAbsPath.LIBMPR(?), ref: 6F834800
                                                                                                                                                                                                            • tolower.MSVCR100 ref: 6F8348AE
                                                                                                                                                                                                            • tolower.MSVCR100 ref: 6F8348B6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Path$tolower$NormalizeSeparatorsstrchrstrpbrk
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1107169961-0
                                                                                                                                                                                                            • Opcode ID: 5c9473fd08e46afb04cdb593dd873a1ed71f924015c0d5df6978b58b9ae90a3a
                                                                                                                                                                                                            • Instruction ID: ef4b12ded6f7920afbd01095557b82ae12829141c478909c31d141c87759cdde
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5c9473fd08e46afb04cdb593dd873a1ed71f924015c0d5df6978b58b9ae90a3a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D941F276A093E91ECB09DEA4A4403A5BB90BF87268F180DDADCD54F252E727A456C3D0
                                                                                                                                                                                                            Function 6F830F70 Relevance: 6.1, APIs: 4, Instructions: 117COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprCreateBuf.LIBMPR(00000000,00000000), ref: 6F830F8C
                                                                                                                                                                                                            • mprPutBlockToBuf.LIBMPR(00000000,?,?), ref: 6F830FEC
                                                                                                                                                                                                            • mprPutBlockToBuf.LIBMPR(00000000,?,?), ref: 6F83100D
                                                                                                                                                                                                            • mprGrowBuf.LIBMPR(00000000,00000001), ref: 6F831066
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Block$CreateGrow
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3868887822-0
                                                                                                                                                                                                            • Opcode ID: 6513ef0c385ff4631dc96e415cd95e8adae8fe2a7d756588e6cf4ce6efa80052
                                                                                                                                                                                                            • Instruction ID: f791d7a4de3406e69c82a8e41c87bcd0b05577679bed636f68387119b02741e2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6513ef0c385ff4631dc96e415cd95e8adae8fe2a7d756588e6cf4ce6efa80052
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F3310233E086619BDB14CEA8C890A5673A6EF81718F28DDD8EC599F265D731FC018BD0
                                                                                                                                                                                                            Function 6F825450 Relevance: 6.1, APIs: 4, Instructions: 114memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • memset.MSVCR100 ref: 6F8254A5
                                                                                                                                                                                                            • mprAllocMem.LIBMPR ref: 6F825530
                                                                                                                                                                                                            • mprAllocMem.LIBMPR(00000038,00000002), ref: 6F825574
                                                                                                                                                                                                            • mprAllocMem.LIBMPR(00000038,00000002), ref: 6F8255BC
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Alloc$memset
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2464882426-0
                                                                                                                                                                                                            • Opcode ID: df46aa8f00bb34c9062d16d5bb7ba7aee3ddfaffdf3d956943ff0f94f8f70902
                                                                                                                                                                                                            • Instruction ID: deac1c543a36c679193554de3be1eb09573aec4315b09e74e73fca11b89fc51c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: df46aa8f00bb34c9062d16d5bb7ba7aee3ddfaffdf3d956943ff0f94f8f70902
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 534135B0654B029BE758CF28C452B42BBA0BB45715F908BC9D8454F39ADB71E899CBC0
                                                                                                                                                                                                            Function 6F81FC40 Relevance: 6.1, APIs: 4, Instructions: 99memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(?), ref: 6F81FCC6
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,?,?), ref: 6F81FCD7
                                                                                                                                                                                                            • mprAllocFast.LIBMPR(?), ref: 6F81FD0F
                                                                                                                                                                                                            • memcpy.MSVCR100(00000000,?,?), ref: 6F81FD20
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocFastmemcpy
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2273661864-0
                                                                                                                                                                                                            • Opcode ID: 26c685d2261d555c207b581a6f7800e40e61651e7d6ffa11916d9351f85130e7
                                                                                                                                                                                                            • Instruction ID: 195d7dd88ed29706394dcf0e44ba2a32347ff3a8a99ca28f60354ed1e692a60b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26c685d2261d555c207b581a6f7800e40e61651e7d6ffa11916d9351f85130e7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE31C4B290C75B5BD315CA68A884A87BBE5AF91258F048EF5EC44CF215F721E90887D0
                                                                                                                                                                                                            Function 6F82B630 Relevance: 6.1, APIs: 4, Instructions: 93sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Sleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3472027048-0
                                                                                                                                                                                                            • Opcode ID: 511931b063f00d37aa1e1293e791cdfe7143906016d817229a8ce3c0ec1238de
                                                                                                                                                                                                            • Instruction ID: de14612370fd45a9a53deb51057eb7de13b8bee7b3ca513c03866c6cdd3353b9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 511931b063f00d37aa1e1293e791cdfe7143906016d817229a8ce3c0ec1238de
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1031E47160A7055BE7048B6CC804B96B3E0AF82335F144BADE8659F2E1CB71F88487D1
                                                                                                                                                                                                            Function 6F833B80 Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • memcpy.MSVCR100(00000008,?,?), ref: 6F833C08
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,000003FF,000003FF), ref: 6F833C3A
                                                                                                                                                                                                            • mprGetAbsPath.LIBMPR ref: 6F833C5D
                                                                                                                                                                                                              • Part of subcall function 6F833AC0: mprNormalizePath.LIBMPR(6F83C79C), ref: 6F833B02
                                                                                                                                                                                                              • Part of subcall function 6F833AC0: mprMapSeparators.LIBMPR(00000000,?,6F83C79C), ref: 6F833B11
                                                                                                                                                                                                            • sclone.LIBMPR(?), ref: 6F833C74
                                                                                                                                                                                                              • Part of subcall function 6F81C720: mprAllocFast.LIBMPR(?), ref: 6F81C744
                                                                                                                                                                                                              • Part of subcall function 6F81C720: memcpy.MSVCR100(00000000,?,?), ref: 6F81C755
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Pathmemcpy$AllocFastFileModuleNameNormalizeSeparatorssclone
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1560716922-0
                                                                                                                                                                                                            • Opcode ID: fd598c71f9e3a595afa588abea88b32dfbd9d74b0a3f83d25faf9f4a15fb031e
                                                                                                                                                                                                            • Instruction ID: 25672354382b1b4172553955c7602a4e814b64d12f4f94cd814a3a0761668f5e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd598c71f9e3a595afa588abea88b32dfbd9d74b0a3f83d25faf9f4a15fb031e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D2106B3A046105BD724DBACC846B9AB3E5AF94604F8009A9D749DF2B1EB38DC05C6C5
                                                                                                                                                                                                            Function 6F830DC0 Relevance: 6.1, APIs: 4, Instructions: 86fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprCreateBuf.LIBMPR(00001000,00000000), ref: 6F830DEE
                                                                                                                                                                                                            • mprFlushFile.LIBMPR(?), ref: 6F830E20
                                                                                                                                                                                                            • mprPutBlockToBuf.LIBMPR(00000000,?,00000000), ref: 6F830E37
                                                                                                                                                                                                            • mprFlushFile.LIBMPR(?), ref: 6F830E46
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFlush$BlockCreate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3160397195-0
                                                                                                                                                                                                            • Opcode ID: 88c96c4eb2505d85938bb9117ec855253efa6cdd42969e34ad6a4684ec1dbb65
                                                                                                                                                                                                            • Instruction ID: 27d4b6ecb519194ad0d8be2316b98e953f10bd4ee388b8d77084c91c3a6cd122
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 88c96c4eb2505d85938bb9117ec855253efa6cdd42969e34ad6a4684ec1dbb65
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E212573B047125BC7108DBDE840B87B7E59FC127EF104AAAE8658E290E761F54A86D0
                                                                                                                                                                                                            Function 6F831690 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprCreateJson.LIBMPR(00000002,?,?,?,6F831798,?,00000000,?,?,?,?,6F831913,00000000,?), ref: 6F831695
                                                                                                                                                                                                              • Part of subcall function 6F815320: memset.MSVCR100 ref: 6F815371
                                                                                                                                                                                                            • scmp.LIBMPR(?,?,?,00000000), ref: 6F8316D6
                                                                                                                                                                                                            • sjoin.LIBMPR(6F83C8D0,?,6F83C79C,?,00000000), ref: 6F831736
                                                                                                                                                                                                            • sjoin.LIBMPR(6F83C8D0,?,00000000), ref: 6F831746
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: sjoin$CreateJsonmemsetscmp
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 887495400-0
                                                                                                                                                                                                            • Opcode ID: 3419fb5dcce32f408979f99d601ca3779c46f244da2c9ab1a5c5544510058eb3
                                                                                                                                                                                                            • Instruction ID: 1e3df2b511bd19d21d1263c44056c6d15b66ba63936ec55d32fe135b85f889eb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3419fb5dcce32f408979f99d601ca3779c46f244da2c9ab1a5c5544510058eb3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1121C976F047246BD704DEA88C80A6B73E8EF85758F084DA8FD049F252E720F91487E1
                                                                                                                                                                                                            Function 6F81B6B0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81B6D3
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81B6F6
                                                                                                                                                                                                            • mprReallocMem.LIBMPR(?,?), ref: 6F81B72C
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81B775
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$EnterRealloc
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1460477039-0
                                                                                                                                                                                                            • Opcode ID: 09779894ac4d01f290b499d128741eb85767984b7cc487013da72f05ea35dcf4
                                                                                                                                                                                                            • Instruction ID: 42296361552220b37e0d35af9d5febf2b21792b57f5cb982a02e732c4dd59be6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09779894ac4d01f290b499d128741eb85767984b7cc487013da72f05ea35dcf4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F021BF35608B039BC734CF29D490A16B3F5AF81720B018F9ED4A68B760D730F849CBA0
                                                                                                                                                                                                            Function 6F824FA0 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F824FC2
                                                                                                                                                                                                            • mprRemoveKey.LIBMPR(?,?), ref: 6F825019
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F825053
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeaveRemove
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3322092837-0
                                                                                                                                                                                                            • Opcode ID: 8c73acdb6ce500ba007df9245bf2851ff35f3a81634e2ab6026316b064b05754
                                                                                                                                                                                                            • Instruction ID: 7f74499cdf20b8a0e683dbbf8eab3139fd1cb541f705dd50ce5d37aa669f0126
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c73acdb6ce500ba007df9245bf2851ff35f3a81634e2ab6026316b064b05754
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B2103356847029BEB188F28DC14B9677D4AF42704F150E9DE8859F285DB62F885C7E0
                                                                                                                                                                                                            Function 6F824E20 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F824E42
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F824E6E
                                                                                                                                                                                                            • mprGetTicks.LIBMPR ref: 6F824E82
                                                                                                                                                                                                              • Part of subcall function 6F818F20: GetTickCount.KERNEL32 ref: 6F818F35
                                                                                                                                                                                                              • Part of subcall function 6F818F20: InitializeCriticalSectionAndSpinCount.KERNEL32(6F8438A4,000005DC), ref: 6F818F50
                                                                                                                                                                                                              • Part of subcall function 6F818F20: EnterCriticalSection.KERNEL32(6F8438A4), ref: 6F818F64
                                                                                                                                                                                                              • Part of subcall function 6F818F20: GetTickCount.KERNEL32 ref: 6F818F6A
                                                                                                                                                                                                              • Part of subcall function 6F818F20: LeaveCriticalSection.KERNEL32(6F8438A4), ref: 6F818FB7
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F824EC4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$CountLeave$EnterTick$InitializeSpinTicks
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1787298031-0
                                                                                                                                                                                                            • Opcode ID: 40423a132e79af5251cd8c5f4851afab29e14d2f0bf19ed74301e30c462fee34
                                                                                                                                                                                                            • Instruction ID: dc82c65aea4e6fb3b4778d7185170578da6d7ad7dabb690187bf1150514e4ed2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40423a132e79af5251cd8c5f4851afab29e14d2f0bf19ed74301e30c462fee34
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B621597A600B02DBE714CF69C540A56B7E5BFC8A20B15499AE8598B752E730F841CBE0
                                                                                                                                                                                                            Function 6F8327D0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprTrimPathExt.LIBMPR(?), ref: 6F8327E3
                                                                                                                                                                                                              • Part of subcall function 6F8201A0: mprAllocFast.LIBMPR(?), ref: 6F8201D2
                                                                                                                                                                                                              • Part of subcall function 6F8201A0: memcpy.MSVCR100(00000000,?,?), ref: 6F8201E3
                                                                                                                                                                                                              • Part of subcall function 6F8201A0: strrchr.MSVCR100 ref: 6F8201EF
                                                                                                                                                                                                              • Part of subcall function 6F8201A0: strpbrk.MSVCR100 ref: 6F820203
                                                                                                                                                                                                            • sjoin.LIBMPR(00000000,?,00000000), ref: 6F8327F4
                                                                                                                                                                                                              • Part of subcall function 6F82F4E0: sjoinv.LIBMPR(?,?), ref: 6F82F4EA
                                                                                                                                                                                                            • sjoin.LIBMPR(00000000,6F83C79C,?,00000000), ref: 6F832804
                                                                                                                                                                                                            • memcpy.MSVCR100(00000008,?,?), ref: 6F832861
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: memcpysjoin$AllocFastPathTrimsjoinvstrpbrkstrrchr
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 201036249-0
                                                                                                                                                                                                            • Opcode ID: b5d93feb7186e3c63a3b599e67c74311e856ced02fcdcbbebac2b95299414cba
                                                                                                                                                                                                            • Instruction ID: 50cb6d2e2bbf1318aa8e13004370ca2f39a377b21148a4eaf87a1e031d9b2959
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5d93feb7186e3c63a3b599e67c74311e856ced02fcdcbbebac2b95299414cba
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E611E3A3F0423137E71505ACBC44B87B7D89F81768F054CE6E894DF2A5E728F88482D1
                                                                                                                                                                                                            Function 6F833CA0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • _getcwd.MSVCR100 ref: 6F833CBD
                                                                                                                                                                                                            • mprGetAbsPath.LIBMPR(6F83BC50), ref: 6F833CCF
                                                                                                                                                                                                              • Part of subcall function 6F833AC0: mprNormalizePath.LIBMPR(6F83C79C), ref: 6F833B02
                                                                                                                                                                                                              • Part of subcall function 6F833AC0: mprMapSeparators.LIBMPR(00000000,?,6F83C79C), ref: 6F833B11
                                                                                                                                                                                                            • mprMapSeparators.LIBMPR(01070020,01070020), ref: 6F833D04
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: PathSeparators$Normalize_getcwd
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2061012445-0
                                                                                                                                                                                                            • Opcode ID: 01a1ca2934c6e10f445e4709dc38e1522650e4ad32d007e1289bb78dc90bf942
                                                                                                                                                                                                            • Instruction ID: 91a111af55b6456fe2f8d10c3c6f78153976be5d4cc3d4a13686fc0fa12508df
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 01a1ca2934c6e10f445e4709dc38e1522650e4ad32d007e1289bb78dc90bf942
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3212BF3D042105BD714D7A8C846B9BB3E4AF81304F444DA9DA55DF2A1EB34E905C6D5
                                                                                                                                                                                                            Function 6F8295B0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F82960B
                                                                                                                                                                                                            • mprSignalCond.LIBMPR(?), ref: 6F82964C
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F829662
                                                                                                                                                                                                            • mprYield.LIBMPR(?), ref: 6F829674
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$CondEnterLeaveSignalYield
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 914922184-0
                                                                                                                                                                                                            • Opcode ID: 6fb84a63e8538937513ef09f0e076fd56369e80a5b8a4885e9cd00ff80d71219
                                                                                                                                                                                                            • Instruction ID: 7f7bb417b912d122141f4205fcf60344ff09e988be9749b02d8f7bf67fe551d9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6fb84a63e8538937513ef09f0e076fd56369e80a5b8a4885e9cd00ff80d71219
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 93213974601601CFEB08DF68C598FA673E5BF05329F154AF9D8098F2A6C735B884EB90
                                                                                                                                                                                                            Function 6F82FE70 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Create$LockSpin$Listmemset
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1958661408-0
                                                                                                                                                                                                            • Opcode ID: 20cb749c12d09600d36a1df720dca5ba2be14a48fbd82410730ce09015cf8971
                                                                                                                                                                                                            • Instruction ID: f7bd902a5d966bc54a2053b77ef2956f1096c408cac5ff85f5d30b5838e0c68e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 20cb749c12d09600d36a1df720dca5ba2be14a48fbd82410730ce09015cf8971
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D1106B1B082515BE719CF38D80575AB7E09F51314F144EE9E9858F2D6E338E489C7C4
                                                                                                                                                                                                            Function 6F826DF0 Relevance: 6.1, APIs: 4, Instructions: 61COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprDestroyWaitHandler.LIBMPR(?,?,?,?,?,6F826ECE,?,00000000), ref: 6F826E17
                                                                                                                                                                                                              • Part of subcall function 6F8248F0: EnterCriticalSection.KERNEL32(?), ref: 6F82490F
                                                                                                                                                                                                              • Part of subcall function 6F8248F0: mprRemoveWaitHandler.LIBMPR(?), ref: 6F82491C
                                                                                                                                                                                                              • Part of subcall function 6F8248F0: mprRemoveEvent.LIBMPR(?), ref: 6F824933
                                                                                                                                                                                                              • Part of subcall function 6F8248F0: LeaveCriticalSection.KERNEL32(?), ref: 6F824955
                                                                                                                                                                                                            • _close.MSVCR100 ref: 6F826E2D
                                                                                                                                                                                                            • _close.MSVCR100 ref: 6F826E40
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(?,00000002,?,?,?,?,6F826ECE,?,00000000), ref: 6F826E87
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalHandlerRemoveSectionWait_close$DestroyEnterEventLeaveProcessTerminate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 303968694-0
                                                                                                                                                                                                            • Opcode ID: afefe843804da034186baf3ebbbb5f0d7d0d3599ff99f2e152338d2763e4d796
                                                                                                                                                                                                            • Instruction ID: b61f8222ce731b9b4307352aff6cd87f9e9174fd3e860eb4c17e220328efbe65
                                                                                                                                                                                                            • Opcode Fuzzy Hash: afefe843804da034186baf3ebbbb5f0d7d0d3599ff99f2e152338d2763e4d796
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC214FB56003469FEF20CF68D80478A7BE4AF46324F104A69FD689B281D375F594CBE1
                                                                                                                                                                                                            Function 6F81B600 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81B618
                                                                                                                                                                                                            • mprReallocMem.LIBMPR(?), ref: 6F81B65D
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81B684
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81B697
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$EnterRealloc
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1460477039-0
                                                                                                                                                                                                            • Opcode ID: 1b12d2f9e458845c26832d5009046f30c6b293679cd51ce57f4e2f74b62dd09e
                                                                                                                                                                                                            • Instruction ID: 600f0a831c9cd6563d774365e445c6d60830e9defafcef27c20935dd47530023
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b12d2f9e458845c26832d5009046f30c6b293679cd51ce57f4e2f74b62dd09e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29114A76A09B128FDB24CF25D804B56B3B5AFA1724F018E99D4669F690C730F846CBA0
                                                                                                                                                                                                            Function 6F819420 Relevance: 6.1, APIs: 4, Instructions: 57timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 6F81944E
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F819467
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F819483
                                                                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 6F8194A3
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Time$Unothrow_t@std@@@__ehfuncinfo$??2@$FileInformationSystemZone
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1971263773-0
                                                                                                                                                                                                            • Opcode ID: 32577358890f3268a6e60d7bad5a7c6e1964a21f66c06c4c0109c1e9dfb5610a
                                                                                                                                                                                                            • Instruction ID: 5eed2984c2a62a565c186312f7c5be913e732ec51dba8ae0a5c16f6c8fc67093
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 32577358890f3268a6e60d7bad5a7c6e1964a21f66c06c4c0109c1e9dfb5610a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 321182B3A053119BE724CF68C981F6BBBE9EFC9750F00896DE54987254D634D504CBD2
                                                                                                                                                                                                            Function 6F81B560 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81B578
                                                                                                                                                                                                            • mprReallocMem.LIBMPR(?,00000000), ref: 6F81B5A8
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81B5D5
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81B5E8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$EnterRealloc
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1460477039-0
                                                                                                                                                                                                            • Opcode ID: 9a9a5d195e14fd44f9f01c0e6d011717f1d39cf2489b400317a1226d37c83285
                                                                                                                                                                                                            • Instruction ID: 7ac319c250761bb4e8a1484c466131fa16fb65e750b9c467bc2ec93b5b36c54c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9a9a5d195e14fd44f9f01c0e6d011717f1d39cf2489b400317a1226d37c83285
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 58117F71908B13CFCB30CF25D840A86B7E5AF45720B018F9AD4669B761D730F845CB90
                                                                                                                                                                                                            Function 6F81FBA0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81FBBA
                                                                                                                                                                                                            • scmp.LIBMPR(?,?), ref: 6F81FBD8
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81FBF4
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81FC0C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enterscmp
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 125909038-0
                                                                                                                                                                                                            • Opcode ID: 70f4b1d3e88d33b3c9e1e99099b8030e7e302ad63aa28b1ac8cbeef418e0a304
                                                                                                                                                                                                            • Instruction ID: 8f08e5ee5b2e7565e2a6636959aa8b43a8fb43dd598233616063d3fe89d55305
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 70f4b1d3e88d33b3c9e1e99099b8030e7e302ad63aa28b1ac8cbeef418e0a304
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 220192767083079B9F24CEA8EC94A9BB398EF516A1F000EA6FC15CB241D730E810C7A1
                                                                                                                                                                                                            Function 6F81EE90 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81EEAF
                                                                                                                                                                                                            • mprRemoveEvent.LIBMPR(?), ref: 6F81EEEC
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81EF00
                                                                                                                                                                                                            • mprQueueEvent.LIBMPR(?,?), ref: 6F81EF08
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalEventSection$EnterLeaveQueueRemove
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3306192345-0
                                                                                                                                                                                                            • Opcode ID: 9de46eb98d33ca7d950dc08d0a4a64835f269c06c2ee1a320c1fcc1270eb1af7
                                                                                                                                                                                                            • Instruction ID: 649ed61343033a4850c1adf5a6dd787e5c37c8498e8eae0aee6a66d2cfaeab34
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9de46eb98d33ca7d950dc08d0a4a64835f269c06c2ee1a320c1fcc1270eb1af7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E111C76904B069FC724CF2AD844A43F7E5BF88614B108A5EE89A87B11E770F454CBA1
                                                                                                                                                                                                            Function 6F821D50 Relevance: 6.1, APIs: 4, Instructions: 52networkCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F821D6B
                                                                                                                                                                                                            • WSAAsyncSelect.WS2_32(?,?,?,00000000), ref: 6F821DA2
                                                                                                                                                                                                            • mprRemoveEvent.LIBMPR(?), ref: 6F821DB0
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F821DCB
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$AsyncEnterEventLeaveRemoveSelect
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3246957841-0
                                                                                                                                                                                                            • Opcode ID: a2c746a5e0f59451f6cc01e46a28687d5fa4a936fa9fd68105037fd99f380e56
                                                                                                                                                                                                            • Instruction ID: f7e7bbebec2ea034df07b2a88e5a4f8b3e7d488488b9690d77961f941ff71f86
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a2c746a5e0f59451f6cc01e46a28687d5fa4a936fa9fd68105037fd99f380e56
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07113C76204E02EFEB148E65C444BA6B7E9AF84610F250E9DE8958BA54DB32F481C7D0
                                                                                                                                                                                                            Function 6F822410 Relevance: 6.1, APIs: 4, Instructions: 51threadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 6F822422
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 6F82243C
                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 6F82246A
                                                                                                                                                                                                            • mprScheduleDispatcher.LIBMPR(?), ref: 6F82248C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CurrentThread$DispatcherSchedule
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2422751001-0
                                                                                                                                                                                                            • Opcode ID: 2a1441d482649ebb7ef4023b4c5c039a09d4a93d75695b9a3cc18d334e77aefe
                                                                                                                                                                                                            • Instruction ID: 92cf54ba10288f4190fda202beecc186168b2bbcf7fac953d9568a1683ec7d53
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a1441d482649ebb7ef4023b4c5c039a09d4a93d75695b9a3cc18d334e77aefe
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A4113C71604B018FD714DF69C880956B3F5BF88714B148E9ED0898B651E734F886CB95
                                                                                                                                                                                                            Function 6F812CD0 Relevance: 6.0, APIs: 4, Instructions: 49synchronizationpipeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 6F812CF0
                                                                                                                                                                                                            • _read.MSVCR100 ref: 6F812D12
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 6F812D2B
                                                                                                                                                                                                            • SetLastError.KERNEL32(00002733,?,00000000,00000000,00000000,?,00000000), ref: 6F812D3A
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ErrorLastNamedObjectPeekPipeSingleWait_read
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3435503168-0
                                                                                                                                                                                                            • Opcode ID: eabdb4fcc8020fd3ffa6a56778b50dbbb9912abd4c8b40302418ac241e581e6d
                                                                                                                                                                                                            • Instruction ID: 5051551bdf7f4eb0e46b507bdfc395f1102dc5a2626995206a610d097ddf06b8
                                                                                                                                                                                                            • Opcode Fuzzy Hash: eabdb4fcc8020fd3ffa6a56778b50dbbb9912abd4c8b40302418ac241e581e6d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CF017136308706EFEA14CE68EC44F9A73A8BB85720F004A99F555D62D0C774E855DBF1
                                                                                                                                                                                                            Function 6F81DC00 Relevance: 6.0, APIs: 4, Instructions: 40sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81DC1A
                                                                                                                                                                                                            • SetEvent.KERNEL32 ref: 6F81DC31
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81DC3F
                                                                                                                                                                                                            • Sleep.KERNEL32(00000001), ref: 6F81DC6A
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalSection$EnterEventLeaveSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1925615494-0
                                                                                                                                                                                                            • Opcode ID: dbfbfedd1b1af478ed5148f721acfd8e11db99303c94ad3baaffdba3195c4361
                                                                                                                                                                                                            • Instruction ID: 764c18da90cd5ef5c0e0641c5db318fa21c9bb1fe82333deb9c86437875a0c4b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dbfbfedd1b1af478ed5148f721acfd8e11db99303c94ad3baaffdba3195c4361
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD015236604A12CFCF14EA59C548B55B3F5AF45715F014DDAD849AF350C3B0B842DBD0
                                                                                                                                                                                                            Function 6F81B790 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81B7AC
                                                                                                                                                                                                            • mprLookupItem.LIBMPR(?,?), ref: 6F81B7B9
                                                                                                                                                                                                            • mprRemoveItemAtPos.LIBMPR(?,00000000), ref: 6F81B7C9
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81B7DB
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalItemSection$EnterLeaveLookupRemove
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3668140444-0
                                                                                                                                                                                                            • Opcode ID: 407b7f10e01e7f8357628a6c8f11bbc96a0c8ec28984d1c4dcdfce4251ed0520
                                                                                                                                                                                                            • Instruction ID: 8eb1b721b40e258e532f2b380b9a0ef4ef73e5369990be93fabd9e1a8d89f79f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 407b7f10e01e7f8357628a6c8f11bbc96a0c8ec28984d1c4dcdfce4251ed0520
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B9F05B36A09B12578A21C928A844B5B37A49F81671B064E95F8149F350D724E94987E1
                                                                                                                                                                                                            Function 6F826EC0 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 6F826DF0: mprDestroyWaitHandler.LIBMPR(?,?,?,?,?,6F826ECE,?,00000000), ref: 6F826E17
                                                                                                                                                                                                              • Part of subcall function 6F826DF0: _close.MSVCR100 ref: 6F826E2D
                                                                                                                                                                                                              • Part of subcall function 6F826DF0: _close.MSVCR100 ref: 6F826E40
                                                                                                                                                                                                              • Part of subcall function 6F826DF0: TerminateProcess.KERNEL32(?,00000002,?,?,?,?,6F826ECE,?,00000000), ref: 6F826E87
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F826EF0
                                                                                                                                                                                                            • mprLookupItem.LIBMPR(?,?), ref: 6F826EF8
                                                                                                                                                                                                            • mprRemoveItemAtPos.LIBMPR(?,00000000), ref: 6F826F06
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F826F16
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalItemSection_close$DestroyEnterHandlerLeaveLookupProcessRemoveTerminateWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2449657405-0
                                                                                                                                                                                                            • Opcode ID: 78eb93679774d132699c20d424b7c4e75807085d84fc2389055d5577ec2997f6
                                                                                                                                                                                                            • Instruction ID: c1aecee2d4d110327462135c34dde9226e7e2cb9c3605c6b573f8ce30103f479
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 78eb93679774d132699c20d424b7c4e75807085d84fc2389055d5577ec2997f6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08F02436A01B10EBDE208A289C04F5B37E89F43A15F050CE9EC00AF281D730F944C3E1
                                                                                                                                                                                                            Function 6F822DC0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F822DD8
                                                                                                                                                                                                            • mprLookupStringItem.LIBMPR(?,?), ref: 6F822DE4
                                                                                                                                                                                                            • mprRemoveItemAtPos.LIBMPR(?,00000000), ref: 6F822DF4
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F822E0A
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalItemSection$EnterLeaveLookupRemoveString
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2284075351-0
                                                                                                                                                                                                            • Opcode ID: 09dcc0e616aa961ab1bdd4225f9aa3b81ac37c41a8b78a5883ccffbbbed48f3f
                                                                                                                                                                                                            • Instruction ID: 6617de89c2f8df614f9baa8fb5f0eed9918392e9e8cd3c246cf9ef197f6b288f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09dcc0e616aa961ab1bdd4225f9aa3b81ac37c41a8b78a5883ccffbbbed48f3f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CFF0893B915F2667DA2189749C04B9B36E95F81B11F060DD9EC14BF200DB28FC9583F1
                                                                                                                                                                                                            Function 6F834C70 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • mprGetAbsPath.LIBMPR(?), ref: 6F834C80
                                                                                                                                                                                                              • Part of subcall function 6F833AC0: mprNormalizePath.LIBMPR(6F83C79C), ref: 6F833B02
                                                                                                                                                                                                              • Part of subcall function 6F833AC0: mprMapSeparators.LIBMPR(00000000,?,6F83C79C), ref: 6F833B11
                                                                                                                                                                                                            • mprGetRelPath.LIBMPR(?,00000000), ref: 6F834C93
                                                                                                                                                                                                            • mprMapSeparators.LIBMPR(00000000,0000005C), ref: 6F834CB4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Path$Separators$Normalize
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 53274795-0
                                                                                                                                                                                                            • Opcode ID: df932c64d3d3a031b174498be04417837533c193eaacfc75cde826b4c152ee3e
                                                                                                                                                                                                            • Instruction ID: decd8fcd6b7a2f2ae58d9efadb201633384a988848926bdb9dfb80e74d34f304
                                                                                                                                                                                                            • Opcode Fuzzy Hash: df932c64d3d3a031b174498be04417837533c193eaacfc75cde826b4c152ee3e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D8E037B7F463207ED30156E89C52F9777846BC1255F048DD6A5945E1E1D63AD40283D2
                                                                                                                                                                                                            Function 6F81DE30 Relevance: 6.0, APIs: 4, Instructions: 30COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6F81DE4E
                                                                                                                                                                                                            • mprLookupItem.LIBMPR(?,?), ref: 6F81DE5A
                                                                                                                                                                                                            • mprRemoveItemAtPos.LIBMPR(?,00000000), ref: 6F81DE68
                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6F81DE78
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CriticalItemSection$EnterLeaveLookupRemove
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3668140444-0
                                                                                                                                                                                                            • Opcode ID: 7b6651c2c43cbd8c24a1d0f367ee83a80047aedc7cb76b45284757baa0457b3e
                                                                                                                                                                                                            • Instruction ID: 42388b62ad9d14e291f88128aa1fff6003effdda0beea4850b8a85ab97ff8edd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b6651c2c43cbd8c24a1d0f367ee83a80047aedc7cb76b45284757baa0457b3e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 03F0A7B7A09B23ABDE65DB689804B9B37A96F11A16F050EC9E8019F110D720FC44C7E1
                                                                                                                                                                                                            Function 6F8174D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: __alldvrmmemmove
                                                                                                                                                                                                            • String ID: 0123456789ABCDEF
                                                                                                                                                                                                            • API String ID: 1270565343-2554083253
                                                                                                                                                                                                            • Opcode ID: 04738a3b5493ae0469b2e3f07e5a5174bfd065a3a1e5ef5df27d02a4a96e169a
                                                                                                                                                                                                            • Instruction ID: 3dc5cd5cc7077da66c28808294699eb45987d9117262caad45842e721628bb5c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04738a3b5493ae0469b2e3f07e5a5174bfd065a3a1e5ef5df27d02a4a96e169a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E318DB660DB519FD714CF1CC84069FBBE1ABC9224F444EAEF89987310E634D840CB82
                                                                                                                                                                                                            Function 6F826580 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • gettimeofday.LIBMPR(?,00000000), ref: 6F82659C
                                                                                                                                                                                                              • Part of subcall function 6F819420: GetSystemTimeAsFileTime.KERNEL32(?), ref: 6F81944E
                                                                                                                                                                                                              • Part of subcall function 6F819420: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F819467
                                                                                                                                                                                                              • Part of subcall function 6F819420: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F819483
                                                                                                                                                                                                              • Part of subcall function 6F819420: GetTimeZoneInformation.KERNEL32(?), ref: 6F8194A3
                                                                                                                                                                                                              • Part of subcall function 6F81D280: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F81D2D4
                                                                                                                                                                                                              • Part of subcall function 6F81D280: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6F81D32B
                                                                                                                                                                                                              • Part of subcall function 6F81D280: _localtime64.MSVCR100 ref: 6F81D33D
                                                                                                                                                                                                              • Part of subcall function 6F81D280: GetTimeZoneInformation.KERNEL32(?), ref: 6F81D35C
                                                                                                                                                                                                            • mprFormatTm.LIBMPR(%a %b %d %T %Y %Z,?,?,000003E8,00000000,00000001), ref: 6F8265F8
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: TimeUnothrow_t@std@@@__ehfuncinfo$??2@$InformationZone$FileFormatSystem_localtime64gettimeofday
                                                                                                                                                                                                            • String ID: %a %b %d %T %Y %Z
                                                                                                                                                                                                            • API String ID: 879227251-468041782
                                                                                                                                                                                                            • Opcode ID: c3ce64413a398511c71d67df0e0f714ec95e2e29064fb86bebe5aa01ccd9475e
                                                                                                                                                                                                            • Instruction ID: dff5a678affa1d8d4b41cc945ff0e21074f3e2b4f20618896adde6a4d273bcdd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3ce64413a398511c71d67df0e0f714ec95e2e29064fb86bebe5aa01ccd9475e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4A01F9B3A043102BD304DA5C9C41B6B73EA9BC4714F484D59F9548F284E674ED0487E2
                                                                                                                                                                                                            Function 6F820433 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: isdigit
                                                                                                                                                                                                            • String ID: *
                                                                                                                                                                                                            • API String ID: 2326231117-163128923
                                                                                                                                                                                                            • Opcode ID: 4158973320670f55c3d4557a17e10db0dfef5264655413f2e329c5499480048a
                                                                                                                                                                                                            • Instruction ID: 7c7c2ef63ca3b106cc987915ef977ab05dc7625f17620fad4e009c1455219f1b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4158973320670f55c3d4557a17e10db0dfef5264655413f2e329c5499480048a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63115B7064A355CFD708CB64D8A055BBBE0AF86304F442CAAF9D28B221D331F859CBD2
                                                                                                                                                                                                            Function 6F8204AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: isdigit
                                                                                                                                                                                                            • String ID: *
                                                                                                                                                                                                            • API String ID: 2326231117-163128923
                                                                                                                                                                                                            • Opcode ID: be25c127a60ea9dc4c5aee16d91ad17ca0cca871dd8e383f990b0458a3361bd3
                                                                                                                                                                                                            • Instruction ID: c2156c7aac6971e74685ff3c2f006a4d18c0636bc710baa0b3f6aff7ae0d7c0d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: be25c127a60ea9dc4c5aee16d91ad17ca0cca871dd8e383f990b0458a3361bd3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B4118E74A983958FD704CB28D86095BBBE0BF86308F045DAAECD18B251D331F559CBD2
                                                                                                                                                                                                            Function 6F829CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27registryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterClassA.USER32 ref: 6F829D20
                                                                                                                                                                                                            • mprError.LIBMPR(Cannot register windows class), ref: 6F829D33
                                                                                                                                                                                                              • Part of subcall function 6F827010: mprPrintfCore.LIBMPR(?,00002000,?,?,6F825F72,Cannot open log file %s,?), ref: 6F827042
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • Cannot register windows class, xrefs: 6F829D2E
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000F.00000002.1874336241.000000006F811000.00000020.00000001.01000000.0000000E.sdmp, Offset: 6F810000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874316102.000000006F810000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874363771.000000006F83A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874387828.000000006F843000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000F.00000002.1874409389.000000006F844000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_15_2_6f810000_RDMAppman.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ClassCoreErrorPrintfRegister
                                                                                                                                                                                                            • String ID: Cannot register windows class
                                                                                                                                                                                                            • API String ID: 224709301-3740542665
                                                                                                                                                                                                            • Opcode ID: 9c1ca7c4a9f3822b821c286857961fd47d42d2c78445afac897584776bbe8d13
                                                                                                                                                                                                            • Instruction ID: 2e130c12ec00f34bea79d85418e9f0b31e4d6c4efcaaad033a31c82bd851c365
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9c1ca7c4a9f3822b821c286857961fd47d42d2c78445afac897584776bbe8d13
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C2F05FB48093429FC784EF69948061ABAF0BE8C254F508E6EE4DCD6210E73492999F97